This document was uploaded by user and they confirmed that they have the permission to share
it. If you are author or own the copyright of this book, please report to us by using this DMCA
report form. Report DMCA
Overview
Download & View Cisco Secure Pix Firewall Advanced Student Guide Version 2.1 as PDF for free.
Cisco Systems, Inc. 170 West Tasman Drive San Jose, CA 95134-1706 USA
The products and specifications, configurations, and other technical information regarding the products in this manual are subject to change without notice. All statements, technical information, and recommendations in this manual are believed to be accurate but are presented without warranty of any kind, express or implied. You must take full responsibility for their application of any products specified in this manual. LICENSE PLEASE READ THESE TERMS AND CONDITIONS CAREFULLY BEFORE USING THE MANUAL, DOCUMENTATION, AND/OR SOFTWARE (“MATERIALS”). BY USING THE MATERIALS YOU AGREE TO BE BOUND BY THE TERMS AND CONDITIONS OF THIS LICENSE. IF YOU DO NOT AGREE WITH THE TERMS OF THIS LICENSE, PROMPTLY RETURN THE UNUSED MATERIALS (WITH PROOF OF PAYMENT) TO THE PLACE OF PURCHASE FOR A FULL REFUND. Cisco Systems, Inc. (“Cisco”) and its suppliers grant to you (“You”) a nonexclusive and nontransferable license to use the Cisco Materials solely for Your own personal use. If the Materials include Cisco software (“Software”), Cisco grants to You a nonexclusive and nontransferable license to use the Software in object code form solely on a single central processing unit owned or leased by You or otherwise embedded in equipment provided by Cisco. You may make one (1) archival copy of the Software provided You affix to such copy all copyright, confidentiality, and proprietary notices that appear on the original. EXCEPT AS EXPRESSLY AUTHORIZED ABOVE, YOU SHALL NOT: COPY, IN WHOLE OR IN PART, MATERIALS; MODIFY THE SOFTWARE; REVERSE COMPILE OR REVERSE ASSEMBLE ALL OR ANY PORTION OF THE SOFTWARE; OR RENT, LEASE, DISTRIBUTE, SELL, OR CREATE DERIVATIVE WORKS OF THE MATERIALS. You agree that aspects of the licensed Materials, including the specific design and structure of individual programs, constitute trade secrets and/or copyrighted material of Cisco. You agree not to disclose, provide, or otherwise make available such trade secrets or copyrighted material in any form to any third party without the prior written consent of Cisco. You agree to implement reasonable security measures to protect such trade secrets and copyrighted Material. Title to the Materials shall remain solely with Cisco. This License is effective until terminated. You may terminate this License at any time by destroying all copies of the Materials. This License will terminate immediately without notice from Cisco if You fail to comply with any provision of this License. Upon termination, You must destroy all copies of the Materials. Software, including technical data, is subject to U.S. export control laws, including the U.S. Export Administration Act and its associated regulations, and may be subject to export or import regulations in other countries. You agree to comply strictly with all such regulations and acknowledge that it has the responsibility to obtain licenses to export, re-export, or import Software. This License shall be governed by and construed in accordance with the laws of the State of California, United States of America, as if performed wholly within the state and without giving effect to the principles of conflict of law. If any portion hereof is found to be void or unenforceable, the remaining provisions of this License shall remain in full force and effect. This License constitutes the entire License between the parties with respect to the use of the Materials Restricted Rights - Cisco’s software is provided to non-DOD agencies with RESTRICTED RIGHTS and its supporting documentation is provided with LIMITED RIGHTS. Use, duplication, or disclosure by the U.S. Government is subject to the restrictions as set forth in subparagraph “C” of the Commercial Computer Software - Restricted Rights clause at FAR 52.227-19. In the event the sale is to a DOD agency, the U.S. Government’s rights in software, supporting documentation, and technical data are governed by the restrictions in the Technical Data Commercial Items clause at DFARS 252.227-7015 and DFARS 227.7202. DISCLAIMER OF WARRANTY. ALL MATERIALS ARE PROVIDED “AS IS” WITH ALL FAULTS. CISCO AND ITS SUPPLIERS DISCLAIM ALL WARRANTIES, EXPRESSED OR IMPLIED, INCLUDING, WITHOUT LIMITATION, THOSE OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OR ARISING FROM A COURSE OF DEALING, USAGE, OR TRADE PRACTICE. IN NO EVENT SHALL CISCO OR ITS SUPPLIERS BE LIABLE FOR ANY INDIRECT, SPECIAL, CONSEQUENTIAL, OR INCIDENTAL DAMAGES, INCLUDING, WITHOUT LIMITATION, LOST PROFITS OR LOSS OR DAMAGE TO DATA ARISING OUT OF THE USE OR INABILITY TO USE THIS MANUAL, EVEN IF CISCO OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. In no event shall Cisco’s or its suppliers’ liability to You, whether in contract, tort (including negligence), or otherwise, exceed the price paid by You. The foregoing limitations shall apply even if the abovestated warranty fails of its essential purpose. The following information is for FCC compliance of Class A devices: This equipment has been tested and found to comply with the limits for a Class A digital device, pursuant to part 15 of the FCC rules. These limits are designed to provide reasonable protection against harmful interference when the equipment is operated in a commercial environment. This equipment generates, uses, and can radiate radio-frequency energy and, if not installed and used in accordance with the instruction manual, may cause harmful interference to radio communications. Operation of this equipment in a residential area is likely to cause harmful interference, in which case users will be required to correct the interference at their own expense. The following information is for FCC compliance of Class B devices: The equipment described in this manual generates and may radiate radio-frequency energy. If it is not installed in accordance with Cisco’s installation
Argentina Australia Austria Belgium Brazil Bulgaria Canada Chile China PRC Colombia Costa Rica Croatia Czech Republic Denmark Dubai, UAE Finland France Germany Greece Hong Kong SAR Hungary India Indonesia Ireland Israel Italy Japan Korea Luxembourg Malaysia Mexico The Netherlands New Zealand Norway Peru Philippines Poland Portugal Puerto Rico Romania Russia Saudi Arabia Scotland Singapore Slovakia Slovenia South Africa Spain Sweden Switzerland Taiwan Thailand Turkey Ukraine United Kingdom United States Venezuela Vietnam Zimbabwe Copyright 2001, Cisco Systems, Inc. All rights reserved. AccessPath, AtmDirector, Browse with Me, CCDA, CCDE, CCDP, CCIE, CCNA, CCNP, CCSI, CD-PAC, CiscoLink, the Cisco NetWorks logo, the Cisco Powered Network logo, Cisco Systems Networking Academy, Fast Step, Follow Me Browsing, FormShare, FrameShare, GigaStack, IGX, Internet Quotient, IP/VC, iQ Breakthrough, iQ Expertise, iQ FastTrack, the iQ logo, iQ Net Readiness Scorecard, MGX, the Networkers logo, Packet, RateMUX, ScriptBuilder, ScriptShare, SlideCast, SMARTnet, TransPath, Unity, Voice LAN, Wavelength Router, and WebViewer are trademarks of Cisco Systems, Inc.; Changing the Way We Work, Live, Play, and Learn, Discover All That’s Possible, and Empowering the Internet Generation, are service marks of Cisco Systems, Inc.; and Aironet, ASIST, BPX, Catalyst, Cisco, the Cisco Certified Internetwork Expert Logo, Cisco IOS, the Cisco IOS logo, Cisco Systems, Cisco Systems Capital, the Cisco Systems logo, Enterprise/Solver, EtherChannel, EtherSwitch, FastHub, FastSwitch, IOS, IP/TV, LightStream, MICA, Network Registrar, PIX, Post-Routing, Pre-
Routing, Registrar, StrataView Plus, Stratm, SwitchProbe, TeleRouter, and VCO are registered trademarks of Cisco Systems, Inc. and/or its affiliates in the U.S. and certain other countries.
All other brands, names, or trademarks mentioned in this document or Web site are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (0104R)
Cisco Secure PIX Firewall Advanced, Revision 2.1: Student Guide Copyright 2002, Cisco Systems, Inc. All rights reserved. Printed in USA.
Table of Contents
COURSE INTRODUCTION
1-1
Overview Course Objectives Lab Topology
1-1 1-2 1-7
NETWORK SECURITY AND THE CISCO PIX FIREWALL
2-1
Overview Objectives Network Security Cisco AVVID and SAFE Summary
2-1 2-2 2-3 2-13 2-26
CISCO PIX FIREWALL MODELS AND FEATURES
3-1
Overview Objectives Firewalls Overview of the PIX Firewall Summary
3-1 3-2 3-3 3-8 3-22
IDENTIFY THE CISCO PIX FIREWALL
4-1
Overview Objectives Identify the PIX Firewall 501 Controls and Connectors Identify the PIX Firewall 506 Controls and Connectors Identify the PIX Firewall 515 Controls and Connectors Identify the PIX Firewall 520 Controls and Connectors Identify the PIX Firewall 525 Controls and Connectors Identify the PIX Firewall 535 Controls and Connectors Summary
4-1 4-2 4-3 4-5 4-7 4-11 4-14 4-17 4-21
BASIC CONFIGURATION OF THE CISCO PIX FIREWALL
5-1
Overview Objectives General Maintenance Commands ASA Security Levels The Six Primary Commands Summary
Copyright 2002, Cisco Systems, Inc.
5-1 5-2 5-3 5-20 5-23 5-35
Table of Contents
v
Lab Exercise―Configure the PIX Firewall and Execute General Maintenance Commands
CISCO PIX FIREWALL TRANSLATIONS
6-1
Overview Objectives Transport Protocols PIX Firewall Translations Access Through the PIX Firewall Other Ways Through the PIX Firewall Summary Lab Exercise—Configuring Access Through the PIX Firewall
CONFIGURING MULTIPLE INTERFACES
DYNAMIC HOST CONFIGURATION PROTOCOL SUPPORT Overview Objectives Dynamic Host Configuration Protocol The PIX Firewall as a DHCP Server The PIX Firewall as a DHCP Client Summary Lab Exercise—Configure the PIX Firewall’s DHCP Server and Client Features
CONFIGURING SYSLOG
ACCESS CONTROL CONFIGURATION AND CONTENT FILTERING
Cisco Secure PIX Firewall Advanced 2.1
7-1 7-2 7-3 7-8 Lab 7-1
8-1 8-1 8-2 8-3 8-5 8-15 8-19 Lab 8-1
9-1
Overview Objectives Syslog Messages Summary Lab Exercise—Configure Syslog Output to a Syslog Host or Server from the PIX Firewall
Overview Objectives Access Control Lists Converting Conduits to Access Control Lists Configuring Access Control Malicious Active Code Filtering
Lab 5-1
9-1 9-2 9-3 9-10 Lab 9-1
10-1 10-1 10-2 10-3 10-9 10-17 10-25
Copyright 2002, Cisco Systems, Inc.
URL Filtering Summary Lab Exercise—Configure ACLs in the PIX Firewall
10-30 10-33 Lab 10-1
ADVANCED PROTOCOL HANDLING
11-1
Overview Objectives Advanced Protocols Multimedia Support Summary Lab Exercise—Configure and Test Advanced Protocol Handling on the Cisco PIX Firewall
11-1 11-2 11-3 11-15 11-25 Lab-1
ATTACK GUARDS AND INTRUSION DETECTION
12-1
Overview Objectives Attack Guards Intrusion Detection Summary Lab Exercise—Configure the PIX Firewall to Use IDS Signatures
12-1 12-2 12-3 12-13 12-21 Lab 12-1
AUTHENTICATION, AUTHORIZATION, AND ACCOUNTING CONFIGURATION ON THE CISCO PIX FIREWALL
13-1
Overview Objectives Introduction Installation of CSACS for Windows NT Authentication Configuration Authorization Configuration Accounting Configuration Troubleshooting the AAA Configuration Summary Lab Exercise―Configure AAA on the PIX Firewall Using CSACS for Windows NT
Overview Objectives PDM Overview PDM Operating Requirements Prepare for PDM Using PDM Other Tools Summary Lab Exercise—Configuring the PIX Firewall with PDM
THE CISCO IOS FIREWALL CONTEXT-BASED ACCESS CONTROL CONFIGURATION Overview Objectives Introduction to the Cisco IOS Firewall Context-Based Access Control Global Timeouts and Thresholds Port-to-Application Mapping Define Inspection Rules Inspection Rules and ACLs Applied to Router Interfaces Test and Verify Summary Lab Exercise—Configure CBAC on a Cisco Router
CISCO IOS FIREWALL AUTHENTICATION PROXY CONFIGURATION Overview Objectives Introduction to the Cisco IOS Firewall Authentication Proxy AAA Server Configuration AAA Configuration Authentication Proxy Configuration Test and Verify the Configuration Summary Lab Exercise—Configure Authentication Proxy on a Cisco Router
Overview This chapter includes the following topics: ■
Course objectives
■
Course agenda
■
Participant responsibilities
■
General administration
■
Graphic symbols
■
Participant introductions
■
Lab topology
Course Objectives This section introduces the course and the course objectives.
Course Objectives Upon completion of this course, you will be able to perform the following tasks: • Identify PIX Firewall features, models, components, and benefits. • Describe PIX Firewall installation procedures. • Upgrade software images. • Configure inbound and outbound access through the PIX Firewall. • Configure multiple interfaces on the PIX Firewall. • Configure the PIX Firewall as a DHCP server. • Configure the PIX Firewall as a DHCP client. • Configure the PIX Firewall to send messages to a Syslog server. • Perform password recovery. • Configure access control and control filtering on the PIX Firewall.
Course Objectives (cont.) • Configure special protocol handling on the PIX Firewall. • Configure attack guards and SSH. • Configure AAA on the PIX Firewall. • Configure and test failover using the PIX Firewall. • Configure the IDS feature set. • Configure a site-to-site VPN using the PIX Firewall. • Configure a VPN Client-to-PIX Firewall VPN. • Test and verify PIX Firewall operations. • Install the PIX Device Manager and use it to configure the PIX Firewall. • Configure Cisco IOS Firewall CBAC. • Configure an authentication proxy with Cisco IOS software.
Network security is essential because the Internet is a network of interconnected networks without a boundary. Because of this fact, the organizational network becomes accessible and vulnerable from any computer in the world. As companies become Internet businesses, new threats arise from persons who no longer require physical access to a company’s computer assets. In a recent survey conducted by the Computer Security Institute (CSI), 70 percent of the organizations polled stated that their network security defenses had been breached and that 60 percent of the incidents came from within the organizations themselves.
Copyright 2002, Cisco Systems, Inc.
Network Security and the Cisco PIX Firewall
2-3
Network Security Threats There are four primary threats to network security: • Unstructured threats • Structured threats • External threats • Internal threats
There are four primary threats to network security: ■
Unstructured threats
■
Structured threats
■
External threats
■
Internal threats
Unstructured threats consist of mostly inexperienced individuals using easily available hacking tools from the Internet. Some of the people in this category are motivated by malicious intent, but most are motivated by the intellectual challenge and are commonly known as script kiddies. They are not the most talented or experienced hackers, but they have the motivation, which is all that matters. Structured threats consist of hackers who are more highly motivated and technically competent. They usually understand network system designs and vulnerabilities, and they can understand as well as create hacking scripts to penetrate those network systems. External threats are individuals or organizations working outside your company who do not have authorized access to your computer systems or network. They work their way into a network mainly from the Internet or dialup access servers. Internal threats occur when someone has authorized access to the network with either an account on a server or physical access to the wire. They are typically disgruntled former or current employees or contractors.
2-4
Cisco Secure PIX Firewall Advanced 2.1
Copyright 2002, Cisco Systems, Inc.
Three Primary Network Attacks There are three types of network attacks: • Reconnaissance attacks • Access attacks • Denial of service attacks
Reconnaissance attacks—An intruder attempts to discover and map systems, services, and vulnerabilities.
■
Access attacks—An intruder attacks networks or systems to retrieve data, gain access, or escalate their access privilege.
■
Denial of service (DoS) attacks—An intruder attacks your network in such a way that damages or corrupts your computer system, or denies you and others access to your networks, systems, or services.
Reconnaissance Attacks Reconnaissance is the unauthorized discovery and mapping of systems, services, or vulnerabilities. It is also known as information gathering and, in most cases, precedes an actual access or DoS attack. The malicious intruder typically ping sweeps the target network first to determine what IP addresses are alive. After this is accomplished, the intruder determines what services or ports are active on the live IP addresses. From this information, the intruder queries the ports to determine the application type and version as well as the type and version of the operating system running on the target host. Reconnaissance is somewhat analogous to a thief scoping out a neighborhood for vulnerable homes that they can break into, such as an unoccupied residence, an easy-to-open door or window, and so on. In many cases the intruders go as far as “rattling the door handle,” not to go in immediately if it is opened, but to discover vulnerable services that they can exploit at a later time when there is less likelihood that anyone is looking.
Copyright 2002, Cisco Systems, Inc.
Network Security and the Cisco PIX Firewall
2-5
Access Attacks Access is an all-encompassing term that refers to unauthorized data manipulation, system access, or privileged escalation. Unauthorized data retrieval is simply reading, writing, copying, or moving files that are not intended to be accessible to the intruder. Sometimes this is as easy as finding share folders in Windows 9x or NT, or NFS exported directories in UNIX systems with read or read and write access to everyone. The intruder will have no problems getting to the files and, more often than not, the easily accessible information is highly confidential and completely unprotected to prying eyes, especially if the attacker is already an internal user. System access is the ability of an intruder to gain access to a machine, which the intruder is not allowed access to (for example, the intruder does not have an account or password). Entering or accessing systems which one does not have access to usually involves running a hack, script, or tool that exploits a known vulnerability of the system or application being attacked. Another form of access attacks involves privileged escalation. This is done by legitimate users with a lower level of access privileges, or intruders who have gained lower privileged access. The intent is to get information or execute procedures that are not authorized at their current level of access. In many cases this involves gaining root access in a UNIX system to install a sniffer to record network traffic, such as usernames and passwords which can be used to access another target. In some cases, intruders only want to gain access without wanting to steal information—especially when the motive is intellectual challenge, curiosity, or ignorance.
DoS Attacks DoS is when an attacker disables or corrupts networks, systems, or services with the intent to deny the service to intended users. It usually involves either crashing the system or slowing it down to the point that it is unusable. But DoS can also be as simple as wiping out or corrupting information necessary for business. In most cases, performing the attack simply involves running a hack, script, or tool. The attacker does not need prior access to the target because all that is usually required is a way to get to it. For these reasons and because of the great damaging potential, DoS attacks are the most feared—especially by e-commerce web site operators.
2-6
Cisco Secure PIX Firewall Advanced 2.1
Copyright 2002, Cisco Systems, Inc.
Network Security as a Continuous Process Network security is a continuous process built around a security policy. • Step 1: Secure
Network security should be a continuous process built around a security policy. A continuous security policy is most effective because it promotes retesting and reapplying updated security measures on a continuous basis. This continuous security process is represented by the Security Wheel. To begin this continuous process known as the Security Wheel, you need to create a security policy that enables the application of security measures. A security policy needs to accomplish the following tasks: ■
Identify the organization’s security objectives.
■
Document the resources to be protected.
■
Identify the network infrastructure with current maps and inventories.
To create or implement an effective security policy, you need to determine what it is you want to protect and in what manner you are going to protect it. You should know and understand your network’s weak points and how they can be exploited. You should also understand how your system normally functions so that you know what to expect and are familiar with how the devices are normally used. Finally, consider the physical security of your network and how to protect it. Physical access to a computer, router, or firewall can give a user total control over that device. After the security policy is developed, it becomes the hub upon which the next four steps of the Security Wheel are based: Step 1
Secure the system. This involves implementing security devices—firewalls, identification authentication systems, encryption, and so on—with the intent to prevent unauthorized access to network systems. This is where the Cisco Secure PIX Firewall is effective.
Step 2
Monitor the network for violations and attacks against the corporate security policy. Violations can occur within the secured perimeter of the network from a disgruntled employee or from the outside of the network from a hacker.
Copyright 2002, Cisco Systems, Inc.
Network Security and the Cisco PIX Firewall
2-7
Monitoring the network with a real-time intrusion detection system, such as the Cisco Secure Intrusion Detection System, can ensure that the security devices in Step 1 have been configured properly. Step 3
Test the effectiveness of the security safeguards in place. Use the Cisco Secure Scanner to identify the security posture of the network with respect to the security procedures that form the hub of the Security Wheel.
Step 4
Improve corporate security. Collect and analyze information from the monitoring and testing phases to make security improvements. All four steps—secure, monitor, test, and improve—should be repeated on a continuous basis and should be incorporated into updated versions of the corporate security policy.
2-8
Cisco Secure PIX Firewall Advanced 2.1
Copyright 2002, Cisco Systems, Inc.
Secure the Network Implement security solutions to stop or prevent unauthorized access or activities, and to protect information. • • • •
Secure the network by applying the security policy and implementing the following security solutions: ■
Authentication—Gives access to authorized users only (for example, using one-time passwords).
■
Encryption—Hide traffic contents to prevent unwanted disclosure to unauthorized or malicious individuals.
■
Firewalls—Filter network traffic to allow only valid traffic and services.
■
Vulnerability patching—Applies fixes or measures to stop the exploitation of known vulnerabilities. This includes turning off services that are not needed on every system; the fewer services that are enabled, the harder it is for hackers to gain access.
Note
Copyright 2002, Cisco Systems, Inc.
Also remember to implement physical security solutions to prevent unauthorized physical access to the network.
Network Security and the Cisco PIX Firewall
2-9
Monitor Security Secure
• Detects violations to the security policy • Involves system auditing Improve and real-time intrusion detection • Validates the security implementation in Step 1
Monitor the network for violations and attacks against the corporate security policy. These attacks can occur within the secured perimeter of the network— from a disgruntled employee or contractor—or from a source outside your trusted network. Monitoring the network should be done with a real-time intrusion detection device such as the Cisco Secure Intrusion Detection System (CSIDS). This assists you in discovering unauthorized entries, and also serves as a checkand-balance system for ensuring that devices implemented in Step 1 of the Security Wheel have been configured and are working properly.
2-10
Cisco Secure PIX Firewall Advanced 2.1
Copyright 2002, Cisco Systems, Inc.
Test Security Validates effectiveness of the security policy through system auditing and vulnerability scanning
Validation is a must. You can have the most sophisticated network security system, but if it is not working, your network can be compromised. This is why you need to test the devices you implemented in Steps 1 and 2 to make sure they are functioning properly. The Cisco Secure Scanner is designed to validate your network security.
Copyright 2002, Cisco Systems, Inc.
Network Security and the Cisco PIX Firewall
2-11
Improve Security • Use information from the monitor and test phases to make improvements to the security Improve implementation. • Adjust the security policy as security vulnerabilities and risks are identified.
The improvement phase of the Security Wheel involves analyzing the data collected during the monitoring and testing phases, and developing and implementing improvement mechanisms that feed into your security policy and the securing phase in Step 1. If you want to keep your network as secure as possible, you must keep repeating the cycle of the Security Wheel, because new network vulnerabilities and risks are created every day.
2-12
Cisco Secure PIX Firewall Advanced 2.1
Copyright 2002, Cisco Systems, Inc.
Cisco AVVID and SAFE This section discusses Cisco Architecture for Voice, Video, and Integrated Data (AVVID) and SAFE.
Cisco AVVID Architecture Supply Chain
Customer Care
Internet Commerce
E-Learning
Workforce Optimization
Internet Business Integrators Messaging Internet Middleware Layer
Collaboration
Contact Center Multimedia
Video on Demand Personal Productivity
Voice Call Processing
Policy Management Security Content Distribution SLA Management Address Management
Cisco AVVID can be viewed as a framework to describe a network optimized for the support of Internet business solutions and as a best practice or roadmap for network implementation. This section discusses the various layers of the Cisco AVVID framework. The following are the different parts of the Cisco AVVID architecture: ■
Clients—The wide variety of devices that can be used to access the Internet business solutions through the network. These might include phones, PCs, PDAs, and so on. One key difference from traditional proprietary architectures is that the Cisco AVVID standards-based solution enables a wide variety of devices to be connected, even some not yet in broad use. Unlike traditional telephony and video solutions, proprietary access devices are not necessary. Instead, functionality is added through the intelligent network services provided in the infrastructure.
■
Network Platforms—The network infrastructure provides the physical and logical connection for devices, bringing them into the network. Network platforms are the LAN switches, routers, gateways, and other equipment that interconnect users and servers. Cisco network platforms are competitive for features, performance, and price, but their key capabilities are the integration and interaction with other elements of the Cisco AVVID framework. This layer of Cisco AVVID is the foundation for all applications that will be integrated to solve business problems.
Copyright 2002, Cisco Systems, Inc.
Network Security and the Cisco PIX Firewall
2-13
■
Intelligent Network Services—The intelligent network services, provided through software that operates on network platforms, are a major benefit of an end-to-end architecture for deploying Internet business solutions. From quality of service (QoS) (prioritization) through security, accounting, and management, intelligent network services reflect the enterprise’s business rules and policies in network performance. A consistent set of the services end-to-end through the network is vital if the infrastructure is to be relied upon as a network utility. These consistent services enable new Internet business applications and e-business initiatives to rollout very quickly without a major re-engineering of the network each time. By contrast, networks built on best-of-breed strategies may promise higher performance in a specific device, but cannot be counted on to deliver these sophisticated features end-to-end in a multivendor environment. Cisco AVVID supports standards to provide for migration and the incorporation of Internet business integrators, but the added intelligent network services offered by an end-toend Cisco AVVID solution go far beyond what can be achieved in a best of breed environment.
■
Internet middleware layer—The next section, including service control and communication services, is a key part of any networking architecture, providing the software and tools to break down the barriers of complexity arising from new technology. These combined layers provide the tools for integrators and customers to tailor their network infrastructure and customize intelligent network services to meet application needs. These layers manage access, call setup and teardown, perimeter security, prioritization and bandwidth allocation, and user privileges. Software, such as distributed customer contact suites, messaging solutions, and multimedia and collaboration provide capabilities and a communication foundation that enable interaction between users and a variety of application platforms. In a best-of-breed strategy, many of these capabilities must be individually configured or managed. In traditional proprietary schemes, vendors dictated these layers, limiting innovation and responsiveness. Rapid deployment of Internet business solutions depends on consistent service control and communication services capabilities throughout the network. These capabilities are often delivered by Cisco from servers distributed throughout the network. The service control and communication services layers are the glue that joins the Internet technology layers of the Cisco AVVID framework with the Internet business solutions, in effect tuning the network infrastructure and intelligent network services to the needs of the Internet business solutions. In turn, the Internet business solutions are adapted for the best performance and availability on the network infrastructure by exploiting the end-to-end services available through the Cisco AVVID framework.
2-14
■
Internet business integrators—As part of the open ecosystem, it is imperative to enable partners with Cisco AVVID. Cisco realizes the crucial requirement to team with integrators, strategic partners, and customers to deliver complete Internet business. Cisco AVVID offers a guide for these interactions by describing a consistent set of services and capabilities that form a basis for many types of partner relationships.
■
Internet business solutions—Enterprise customers are deploying Internet business solutions to re-engineer their organizations. The applications associated with Internet business solutions are not provided by Cisco, but are
Cisco Secure PIX Firewall Advanced 2.1
Copyright 2002, Cisco Systems, Inc.
enabled, accelerated, and delivered through Cisco AVVID. The ability for companies to move their traditional business models to Internet business models and to deploy Internet business solutions is key to their survival. Cisco AVVID is the architecture upon which e-businesses build Internet business solutions that can be easily deployed and managed. Ultimately, the more Internet business solutions that are delivered, the more efficiently and effectively companies will increase productivity and added value.
Copyright 2002, Cisco Systems, Inc.
Network Security and the Cisco PIX Firewall
2-15
Cisco AVVID Overview
• Cisco AVVID is the one enterprise architecture that provides the intelligent network infrastructure for today’s Internet business solutions. • As the industry’s only enterprise-wide, standardsbased network architecture, Cisco AVVID provides the roadmap for combining Cisco customers’ business and technology strategies into one cohesive model.
The Internet is creating tremendous business opportunities for Cisco and Cisco customers. Internet business solutions such as e-commerce, supply chain management, e-learning, and customer care are dramatically increasing productivity and efficiency. Cisco AVVID is the one enterprise architecture that provides the intelligent network infrastructure for today’s Internet business solutions. As the industry’s only enterprise-wide, standards-based network architecture, Cisco AVVID provides the roadmap for combining customers’ business and technology strategies into one cohesive model.
2-16
Cisco Secure PIX Firewall Advanced 2.1
Copyright 2002, Cisco Systems, Inc.
Cisco AVVID Benefits • Integration—By leveraging the Cisco AVVID architecture and applying the network intelligence inherent in IP, companies can develop comprehensive tools to improve productivity. • Intelligence—Traffic prioritization and intelligent networking services maximize network efficiency for optimized application performance. • Innovation—Customers have the ability to adapt quickly in a changing business environment. • Interoperability—Standards-based APIs enable open-integration with third-party developers, providing customers with choice and flexibility.
With Cisco AVVID, customers have a comprehensive roadmap for enabling Internet business solutions and creating a competitive advantage. There are four Cisco AVVID benefits: ■
Integration—By leveraging the Cisco AVVID architecture and applying the network intelligence inherent in IP, companies can develop comprehensive tools to improve productivity.
■
Intelligence—Traffic prioritization and intelligent networking services maximize network efficiency for optimized application performance.
■
Innovation—Customers have the ability to adapt quickly in a changing business environment.
■
Interoperability—Standards-based application programming interfaces (APIs) enable open-integration with third-party developers, providing customers with choice and flexibility.
Combining the network infrastructure and services with new-world applications, Cisco AVVID accelerates the integration of technology strategy with business vision.
Copyright 2002, Cisco Systems, Inc.
Network Security and the Cisco PIX Firewall
2-17
SAFE Blueprint Overview • Building on Cisco AVVID, the SAFE framework provides a secure migration path for companies to implement converged voice, video, and data networks. • SAFE is a flexible framework that empowers companies to securely, reliably, and cost-effectively take advantage of the Internet economy. • SAFE integrates scalable, high performance security services throughout the e-business infrastructure. • SAFE is enhanced by a rich ecosystem of products, partners, and services that enable companies to implement secure e-business infrastructures today.
SAFE is a flexible, dynamic security blueprint for networks, which is based on Cisco AVVID. SAFE enables businesses to securely and successfully take advantage of e-business economies and compete in the Internet economy. As the leader in networking for the Internet, Cisco is ideally positioned to help companies secure their networks. The SAFE blueprint, in conjunction with an ecosystem of best-of-breed, complementary products, partners, and services, ensures that businesses can deploy robust, secure networks in the Internet age.
2-18
Cisco Secure PIX Firewall Advanced 2.1
Copyright 2002, Cisco Systems, Inc.
SAFE Benefits • Provides a proven, detailed blueprint to securely compete in the Internet economy • Provides the foundation for migrating to secure, cost-effective, converged networks • Enables organizations to stay within their budgets by deploying a modular, scalable security framework in stages • Delivers protection at every access point to the network through best-in-class security products and services
The SAFE Blueprint provides a robust security blueprint that builds on Cisco AVVID. SAFE layers are incorporated throughout the Cisco AVVID infrastructure: ■
Infrastructure layer—Intelligent, scalable security services in Cisco platforms, such as routers, switches, firewalls, intrusion detection systems, and other devices
■
Appliances layer—Incorporation of key security functionality in mobile hand-held devices and remote PC clients
■
Service control layer—Critical security protocols and APIs that enable security solutions to work together cohesively
■
Applications layer—Host- and application-based security elements that ensure the integrity of critical e-business applications
To facilitate rapidly deployable, consistent security throughout the enterprise, SAFE consists of modules that address the distinct requirements of each network area. By adopting a SAFE blueprint, security managers do not need to redesign the entire security architecture each time a new service is added to the network. With modular templates, it is easier and more cost-effective to secure each new service as it is needed and to integrate it with the overall security architecture. One of the unique characteristics of the SAFE blueprint is that it is the first industry blueprint that recommends exactly which security solutions should be included in which sections of the network, and why they should be deployed. Each module in the SAFE blueprint is designed specifically to provide maximum performance for e-business, while at the same time enabling enterprises to maintain security and integrity.
2-20
Cisco Secure PIX Firewall Advanced 2.1
Copyright 2002, Cisco Systems, Inc.
SAFE Blueprint and Ecosystem Secure e-commerce
Secure supply chain management
$
Solutions Secure intranet for workforce optimization
Ecosystem
Integration partners Security Associate solutions Cisco programs and services
Directory Directory
Service control control Service Infrastructure Infrastructure Appliances or or clients clients Appliances
Cisco has opened its Cisco AVVID architecture and SAFE blueprint to key thirdparty vendors to create a security solutions ecosystem to spur development of best-in-class multiservice applications and products. The Cisco AVVID architecture and SAFE blueprint provide interoperability for third-party hardware and software using standards-based media interfaces, APIs, and protocols. This ecosystem is offered through the Security and Virtual Private Network (VPN) Associate Program, an interoperability solutions program that provides Cisco customers with tested and certified, complementary products for securing their businesses. The ecosystem enables businesses to design and roll out secure networks that best fit their business model and enable maximum agility.
Copyright 2002, Cisco Systems, Inc.
Network Security and the Cisco PIX Firewall
2-21
Cisco AVVID Partner Program Security and VPN Products SECURE CONNECTIVITY
Event logging, Reporting, and Analysis www.cisco.com
CSPFA 2.1—2-20
The Security and VPN Solutions Set within the Cisco AVVID Partner Program is an interoperability solutions program developed to deliver comprehensive security and VPN solutions for Cisco networks to Cisco customers. This program is a key component of the SAFE strategy in that it provides a rich ecosystem of products, partners, and services that empowers companies to securely, reliably, and cost-effectively take advantage of the Internet Economy. The program provides the assurance that security solutions making up Partner products have been tested and verified to be interoperable with Cisco security products, and add distinct value to Cisco networks. The goal is to enable Cisco customers to securely take advantage of the expanding e-business marketplace. The security and VPN solutions created through this interoperability program are focused on critical business applications such as e-commerce, secure remote access, intranets, extranets, and supply-chain integration and management. As a result, the solutions categories currently targeted in the program include those that customers continue to request and deploy in their networks:
2-22
■
Identity solutions—Include authentication, authorization, and Public Key Infrastructure (PKI) solutions such as smart cards, hard and soft tokens, authentication servers, and Certificate Authority (CA) servers
■
Application security solutions—Include products such as server and host protection applications
■
Perimeter security solutions—Include products such as URL filtering applications, e-mail, and virus scanning applications
■
Security management and monitoring solutions—Include products that support Syslog reporting, event analysis, reporting, and secure remote administration
■
Secure connectivity solutions—Include products such as VPN client software and wireless VPN products
Cisco Secure PIX Firewall Advanced 2.1
Copyright 2002, Cisco Systems, Inc.
Cisco AVVID Partner Program Security and VPN Services APPLICATION and CODE REVIEW
The security services offered through the AVVID Partner Program are focused on specific areas of security services available in the industry. As a result, the services categories currently targeted include those that customers continue to request and deploy in their organizations: ■
Application and code review—Examines and analyzes security structure and vulnerabilities of hardware and software systems
■
Outsourced monitoring and management—Provides third-party management, monitoring of security infrastructure with incident notification, or both
■
Policy and procedures—Provides assistance with reviewing and building robust and effective security policies and practices
■
Incident response—Responds to and mitigates attacks on systems and networks
Copyright 2002, Cisco Systems, Inc.
Network Security and the Cisco PIX Firewall
2-23
Cisco AVVID Partner Program Security and VPN Services (cont.) BUSINESS IMPACT and RISK ASSESSMENT
Overview This chapter includes the following topics: ■
Objectives
■
Firewalls
■
Overview of the PIX Firewall
■
Summary
Objectives This section lists the chapter’s objectives.
Objectives Upon completion of this chapter, you will be able to perform the following tasks: • Describe firewall technologies and define the three types of firewalls used to secure today’s computer networks. • Describe the PIX Firewall. • Identify the PIX Firewall models. • Describe the PIX Firewall features and functions.
By conventional definition, a firewall is a partition made of fireproof material designed to prevent the spread of fire from one part of a building to another. It can also be used to isolate one compartment from another. When applying the term firewall to a computer network, a firewall is a system or group of systems that enforces an access control policy between two or more networks.
Copyright 2002, Cisco Systems, Inc.
Cisco PIX Firewall Models and Features
3-3
Firewall Technologies Firewall operations are based on one of three technologies: • Packet filtering • Proxy server • Stateful packet filtering
A firewall can use packet filtering to limit information entering a network, or information moving from one segment of a network to another. Packet filtering uses access control lists (ACLs), which allow a firewall to accept or deny access based on packet types and other variables. This method is effective when a protected network receives a packet from an unprotected network. Any packet that is sent to the protected network and does not fit the criteria defined by the ACLs is dropped. But there are problems with packet filtering: ■
Arbitrary packets can be sent that fit the ACL criteria and, therefore, pass through the filter.
■
Packets can pass through the filter by being fragmented.
■
Complex ACLs are difficult to implement and maintain correctly.
■
Some services cannot be filtered.
Copyright 2002, Cisco Systems, Inc.
Cisco PIX Firewall Models and Features
3-5
Proxy Server Requests connections between a client on the inside of the firewall and the Internet
A proxy server is a firewall device that examines packets at higher layers of the Open Systems Interconnection (OSI) model. This device hides valuable data by requiring users to communicate with a secure system by means of a proxy. Users gain access to the network by going through a process that establishes session state, user authentication, and authorized policy. This means that users connect to outside services via application programs (proxies) running on the gateway connecting to the outside unprotected zone. However, there are problems with the proxy server because it
3-6
■
Creates a single point of failure, which means that if the entrance to the network is compromised, then the entire network is compromised.
Stateful packet filtering is the method used by the Cisco PIX Firewall. This technology maintains complete session state. Each time a TCP/UDP connection is established for inbound or outbound connections, the information is logged in a stateful session flow table. The stateful session flow table contains the source and destination addresses, port numbers, TCP sequencing information, and additional flags for each TCP/UDP connection associated with that particular session. This information creates a connection object and, consequently, all inbound and outbound packets are compared against session flows in the stateful session flow table. Data is permitted through the firewall only if an appropriate connection exists to validate its passage. This method is effective because: ■
It works on packets and connections.
■
It operates at a higher performance level than packet filtering or using a proxy server.
■
It records data in a table for every connection or connectionless transaction. This table serves as a reference point to determine if packets belong to an existing connection or are from an unauthorized source.
Copyright 2002, Cisco Systems, Inc.
Cisco PIX Firewall Models and Features
3-7
Overview of the PIX Firewall This section discusses the basic concepts of the PIX Firewall.
The Private Internet Exchange (PIX) Firewall is a key element in the overall Cisco end-to-end security solution. The PIX Firewall is a dedicated hardware and software security solution that delivers high-level security without impacting network performance. It is a hybrid system because it uses features from both the packet filtering and proxy server technologies. Unlike typical CPU-intensive, full-time proxy servers that perform extensive processing on each data packet at the application level; the PIX Firewall uses a proprietary operating system that is a secure, real-time, embedded system. The PIX Firewall provides the following benefits and features:
3-8
■
Non-UNIX, secure, real-time, embedded system—Unlike typical CPUintensive proxy servers that perform extensive processing on each data packet, the PIX Firewall uses a secure, real-time, embedded system, which enhances the security of the network.
■
Adaptive Security Algorithm (ASA)—Implements stateful connection control through the PIX Firewall.
■
Cut-through proxy—A user-based authentication method of both inbound and outbound connections, providing improved performance in comparison to that of a proxy server.
■
Stateful failover—The PIX Firewall enables you to configure two PIX Firewall units in a fully redundant topology.
Cisco Secure PIX Firewall Advanced 2.1
Copyright 2002, Cisco Systems, Inc.
■
Stateful packet filtering—A secure method of analyzing data packets that places extensive information about a data packet into a table. For a session to be established, information about the connection must match the information in the table.
The PIX Firewall is interoperable and scalable with IPSec, which includes an umbrella of security and authentication protocols such as Internet Key Exchange (IKE) and Public Key Infrastructure (PKI). The PIX Firewall offers an IPSecbased virtual private network (VPN). Remote clients can securely access corporate networks through their ISPs.
The Cisco PIX Firewall 500 series scales to meet a range of requirements and network sizes, and currently consists of five models: the PIX Firewall 501, 506, 515, 525, and 535. The 500 series models support a broad range of network interface cards (NIC). The 501 has an integrated 10BaseT port and an integrated 4-port 10/100 switch. The 506 has dual integrated 10Base-T ports. The 515 supports single or four-port 10/100 Ethernet cards and the VPN Accelerator card. The PIX Firewall 525 supports single-port or four-port 10/100 Fast Ethernet, Gigabit Ethernet, and the VPN Accelerator. The 535 supports Fast Ethernet, Gigabit Ethernet and the VPN Accelerator. The PIX Firewall is secure right out of the box. The PIX Firewall default settings allow all connections from the inside interface access to the outside interface, and block all connections from the outside interface to the inside interface. After a few installation procedures and an initial configuration of six general commands, your PIX Firewall is operational and protecting your network.
3-10
Cisco Secure PIX Firewall Advanced 2.1
Copyright 2002, Cisco Systems, Inc.
PIX Firewall 501 • Designed for small offices and teleworkers • 3,500 simultaneous connections • 10 Mbps cleartext throughput • 133 MHz processor • 16 MB of SDRAM • Supports 1 10BaseT Ethernet interface (outside) and a 4-port 10/100 switch (inside) • 3 Mbps 3DES throughput • 5 simultaneous VPN peers
The Cisco PIX 501 Firewall measures only 1.0 x 6.25 x 5.5 inches and weighs only 0.75 pounds, yet it delivers enterprise-class security for small offices and teleworkers. Ideal for securing high-speed "always on" broadband environments, the Cisco PIX 501 Firewall provides small office networking features and powerful remote management capabilities in a compact, all-in-one solution. The Cisco PIX 501 Firewall provides a convenient way for multiple computers to share a single broadband connection. In addition to its RS-232 (RJ-45) 9600 baud console port and its integrated 10BaseT port for the outside interface, it features an integrated auto-sensing, auto-MDIX 4-port 10/100 switch for the inside interface. Auto-MDIX support eliminates the need to use crossover cables with devices connected to the switch. The PIX Firewall 501 can also secure all network communications from remote offices to corporate networks across the Internet using its standards-based Internet Key Exchange (IKE)/IP security (IPsec) VPN capabilities. Users can also enjoy plug-and-play networking by taking advantage of the built-in Dynamic Host Configuration Protocol (DHCP) server within the PIX Firewall, which automatically assigns network addresses to the computers when they are powered on. The PIX Firewall 501 comes with an integrated security lock slot for improved physical security and contains 8 MB of Flash memory. Note
The cable lock for the security lock slot is not provided with the unit.
Note
The Cisco PIX 501 Firewall requires software version 6.1(1) or higher.
The PIX Firewall 506 is designed for companies that are leveraging the cost advantages of the Internet and allowing employees to work remotely. It delivers full firewall protection, as well as IPSec virtual private network (VPN) capabilities. The 506 can connect with up to 25 VPN peers simultaneously, and provides users with a complete implementation of IPSec standards. It comes with 8 MB of Flash memory and 2 integrated 10Base-T ports, is compact in size (8 x 12 x 1.7"), and uses TFTP for image download and upgrade.
3-12
Cisco Secure PIX Firewall Advanced 2.1
Copyright 2002, Cisco Systems, Inc.
PIX Firewall 515 • Designed for small to medium businesses • 128,000 simultaneous connections • 147 Mbps cleartext throughput • 200 MHz processor • 64 MB RAM • Supports 6 interfaces • Supports failover • 10 Mbps 3DES throughput
The PIX Firewall 515 is designed for small and medium-sized businesses. It delivers full firewall protection, as well as IPSec VPN capabilities with complete implementation of IPSec standards. You can create and terminate VPN tunnels between two PIX Firewalls, between a PIX Firewall and any Cisco VPN-enabled router, and between a PIX Firewall and the Cisco Virtual Private Networks (CVPN) Client. The PIX Firewall 515 is also ideal for remote sites that require only two-way communication with their corporate network. The PIX Firewall 515 supports up to six 10/100 Ethernet ports, as well as the VPN Accelerator card. This allows for more robust traffic configurations as well as establishing a protected DMZ for hosting a web site or performing URL filtering and virus detection. The PIX Firewall 515 is rack-mountable, comes with 16 MB of Flash memory, and uses TFTP for image download and upgrade. Note
Copyright 2002, Cisco Systems, Inc.
A PIX Firewall 515-UR license is required for support of six interfaces. The 515-R license supports three interfaces.
The PIX Firewall 520 is intended for large enterprise organizations and complex, high-end traffic environments. It too delivers full firewall protection, as well as IPSec VPN capabilities with complete implementation of IPSec standards. The 520 has an enterprise chassis design, is rack-mountable, and uses a 3.5-inch floppy disk drive to upgrade and load the image. Although newer PIX Firewall 520 units come with 16 MB of Flash memory, older units have only 2 MB. To run software versions 5.2 and higher, the Flash needs to be upgraded to 16 MB. Note
3-14
The PIX 520 Firewall is no longer available for purchase. The information on the 520 remains in the course as a courtesy to our customers. The recommended replacement product for the PIX 520 Firewall is the 525.
The PIX Firewall 525 is intended for Enterprise and Service Provider use. Ideal for protecting the Enterprise Headquarters’ perimeter, the PIX Firewall 525 delivers full firewall protection, as well as IPSec VPN capabilities. The PIX Firewall 525 supports a broad range of network interface cards. Standard cards include single-port or four-port 10/100 Fast Ethernet and Gigabit Ethernet (with UR license). With the restricted license, it supports 6 interfaces; with the unrestricted license (UR), it supports 8 interfaces. The PIX Firewall 525 also offers multiple power supply options. You can choose between AC and a 48 DC power supply. Either option can be paired with a second power supply for redundancy and high-availability. Note
Copyright 2002, Cisco Systems, Inc.
The PIX 525 Firewall also supports the VPN Accelerator.
Cisco PIX Firewall Models and Features
3-15
PIX Firewall 535 • Designed for enterprise and service providers • 500,000 simultaneous connections • 1.7 Gbps cleartext throughput • 1 GHz processor • 1 GB RAM • Maximum of 10 interfaces • Supports failover • 96 Mbps 3DES throughput
The PIX Firewall 535 is intended for Enterprise and Service Provider use. It has a throughput of 1.7 Gbps with the ability to handle up to 500,000 concurrent connections. Supporting both site-to-site and remote access VPN applications via 56-bit DES or 168-bit 3DES, the integrated VPN functionality of the PIX Firewall 535 can be supplemented with a VPN Accelerator card to deliver 96 Mbps of 3DES throughput and 2,000 IPSec tunnels. The PIX Firewall 535 supports Fast Ethernet, Gigabit Ethernet, and VPN Accelerator interfaces. A PIX Firewall 535 configured with only Gigabit interfaces will not be capable of upgrading an Activation key. Activation key upgrades require the monitor mode for all systems without floppy disk drives. The monitor mode does not support Gigabit interfaces. A Fast Ethernet interface must be installed to use the monitor mode. If a PIX Firewall 535 is ordered with Gigabit interfaces only, an additional Fast Ethernet interface is included with the unit so that the Activation key may be upgraded. Note
If, after configuring a PIX Firewall unit for Gigabit Ethernet cards, you replace the cards with 10/100 Ethernet cards, the order of the cards in the configuration changes from what you originally configured. For example, if you configure ethernet0 for a Gigabit Ethernet card assigned to the inside interface and replace this card with a 10/100 Ethernet card, the card may no longer appear as ethernet0.
The PIX Firewall 535 comes with 16 MB of Flash memory and supports the PIX Firewall software version 5.3 or later.
3-16
Cisco Secure PIX Firewall Advanced 2.1
Copyright 2002, Cisco Systems, Inc.
Finesse Operating System Eliminates the risks associated with general-purpose operating systems
Finesse, Cisco’s proprietary operating system is a non-UNIX, non-Windows NT, IOS-like operating system. Use of Finesse eliminates the risks associated with the general-purpose operating systems. It enables the PIX Firewall to deliver outstanding performance with up to 500,000 simultaneous connections— dramatically greater than any UNIX-based firewall.
The heart of the PIX Firewall is the Adaptive Security Algorithm (ASA). ASA maintains the secure perimeters between the networks controlled by the firewall. The stateful, connection-oriented ASA design creates session flows based on source and destinations addresses. It randomizes TCP sequence numbers, port numbers, and additional TCP flags before completion of the connection. This function is always in operation, monitoring return packets to ensure they are valid, and allows one-way (inside to outside) connections without an explicit configuration for each internal system and application. The randomizing of the TCP sequence numbers is to minimize the risk of a TCP sequence number attack. Because of the ASA, the PIX Firewall is less complex and more robust than a packet filtering-designed firewall. Stateful packet filtering is a secure method of analyzing data packets that places extensive information about a data packet into a table. Each time a TCP connection is established for inbound or outbound connections through the PIX Firewall, the information about the connection is logged in a stateful session flow table. For a session to be established, information about the connection must match information stored in the table. With this methodology, the stateful filters work on the connections and not the packets, making it a more stringent security method with its sessions immune to hijacking. Like a fingerprint, stateful packet filtering
3-18
■
Obtains the session identifying parameters, IP addresses, and ports for each TCP connection.
■
Logs the data in a stateful session flow table and creates a session object.
■
Compares the inbound and outbound packets against session flows in the connection table.
■
Allows data packets to flow through the PIX Firewall only if an appropriate connection exists to validate their passage.
■
Temporarily sets up a connection object until the connection is terminated.
Cisco Secure PIX Firewall Advanced 2.1
Copyright 2002, Cisco Systems, Inc.
Cut-Through Proxy Operation 1. The user makes a request to an IS resource.
Internal/ external user 3.
2. The PIX Firewall intercepts the connection. 3. The PIX Firewall prompts the user for a username and password, authenticates the user, and checks the security policy on a RADIUS or TACACS+ server. IS resource
Username and Password Required
PIX Firewall
Enter username for CCO at www.com
User Name:
student
Password:
123@456 OK
Cisco Secure
Cancel
4. The PIX Firewall initiates a connection from the PIX Firewall to the destination IS resource. 5. The PIX Firewall directly connects the internal or external user to the IS resource via ASA.
Cut-through proxy is a method of transparently verifying the identity of the users at the firewall, and permitting or denying access to any TCP- or UDP-based applications. This is also known as user-based authentication of inbound or outbound connections. Unlike a proxy server that analyzes every packet at the application layer of the OSI model, the PIX Firewall first challenges a user at the application layer. After the user is authenticated and the policy is checked, the PIX Firewall shifts the session flow to a lower layer of the OSI model for dramatically faster performance. This allows security policies to be enforced on a per-user-identification basis. Connections must be authenticated with a user identification and password before they can be established. The user identification and password is entered via an initial HTTP, Telnet, or FTP connection. This method eliminates the price performance impact that UNIX system-based firewalls impose in similar configurations, and allows a finer level of administrative control over connections. The cut-through proxy method of the PIX Firewall also leverages the authentication and authorization services of the Cisco Secure Access Control Server.
Stateful failover provides a mechanism for the PIX Firewall to be redundant by allowing two identical units to serve the same functionality. The active unit performs normal security functions, while the standby unit monitors, ready to take control should the active unit fail. The two units must be running the same version of software. Configuration replication will occur under the following circumstances: ■
When a secondary unit completes its initial bootup, the primary unit will replicate its entire configuration to the secondary unit.
■
As commands are entered on the primary unit, they are sent across to the secondary unit. The commands are sent via failover cable.
■
Entering the write standby command on the primary unit forces the entire configuration to the secondary unit.
Because configuration replication is automatic from the active unit to the standby unit, configuration should be modified only on the active unit. When failover occurs, Syslog messages are generated indicating the cause of failure. Failover detection occurs within 30 to 45 seconds. Note
3-20
PIX Firewall models 515, 525, and 535 support failover.
Cisco Secure PIX Firewall Advanced 2.1
Copyright 2002, Cisco Systems, Inc.
Summary This section summarizes the information you learned in this chapter.
Summary • There are three firewall technologies: packet filtering, proxy server, and stateful packet filtering. • There are currently five PIX Firewall models in the 500 series: 501, 506, 515, 525, and 535. • The PIX Firewall features include: Finesse operating system, Adaptive Security Algorithm, cut-through proxy, stateful failover, and stateful packet filtering.
Overview This chapter includes the following topics: ■
Objectives
■
Identify the PIX Firewall 501 controls, connectors, and LEDs
■
Identify the PIX Firewall 506 controls, connectors, and LEDs
■
Identify the PIX Firewall 515 controls, connectors, and LEDs
■
Identify the PIX Firewall 520 controls, connectors, and LEDs
■
Identify the PIX Firewall 525 controls, connectors, and LEDs
■
Identify the PIX Firewall 535 controls, connectors, and LEDs
■
Summary
Objectives This section lists the chapter’s objectives:
Objectives
Upon completion of this chapter, you will be able to perform the following tasks: • Identify the PIX Firewall 501, 506, 515, 520, 525, and 535 controls, connectors, and LEDs. • Identify the PIX Firewall 501, 506, 515, 520, 525, and 535 interfaces.
Power—When the light is green, the device is powered on.
■
Link/Act—When the light is flashing green, network activity (such as Internet access, is present). When the light is green, the correct cable is in use and the connected equipment has power and is operational. When the light is off, no link is established.
■
VPN Tunnel—When the light is green, one or more IKE/IPSec VPN tunnels are established. When the light is off, one or more IKE/IPSec VPN tunnels are disabled. If the standard configuration has not been modified to support VPN tunnels, the LED does not light up because it is disabled by default.
Note ■
Copyright 2002, Cisco Systems, Inc.
The VPN Tunnel LED does not light up when PPTP/L2TP tunnels are established.
100MBPS—When the light is green, the interface is enabled at 100 Mbps (auto-negotiated). When the light is off, the interface is enabled at 10 Mbps.
Identify the Cisco PIX Firewall
4-3
PIX Firewall 501 Back Panel Console Console port port (RJ-45) (RJ-45)
This figure shows the back panels of the PIX Firewall 501. The following are the PIX Firewall 501 features: ■
10/100 switch ports—Ports in the auto-sensing, auto-MDIX switch used for the inside interface. Connect your PC or other network devices to one of the four switched ports, which are numbered 1 through 4.
■
10BaseT port—Port 0, a half-duplex Ethernet port for the public network. The PIX 501 Firewall comes with a yellow Ethernet cable (72-1482-01) and an orange Ethernet cable (72-3515-01). Use the yellow cable to connect the device to a switch or hub. Use the orange cable to connect the device to a DSL modem, cable modem, or router.
■
Console port—RS-232 (RJ-45) 9600 baud port used to connect a computer to the PIX Firewall for console operations.
■
Power connector—Used to attach the power supply cable to the PIX Firewall. The PIX 501 does not have a power switch.
■
Security lock slot— A slot that accepts standard desktop cable locks to provide physical security for small portable equipment, such as laptop computers.
Note
4-4
When installing the PIX 501 Firewall, place the chassis on a flat, stable surface. The chassis is not rack mountable.
Cisco Secure PIX Firewall Advanced 2.1
Copyright 2002, Cisco Systems, Inc.
Identify the PIX Firewall 506 Controls and Connectors This section explains the controls and connectors for the PIX Firewall 506.
On the PIX Firewall 506, Ethernet 1 connects the inside network and Ethernet 0 is for the outside network. Use the console port to connect a computer to enter configuration commands. The USB port to the left of the console port is not used. The power connection is directly beneath the power switch. The PIX Firewall 506 uses an external AC to DC power supply. The LEDs display the following transmission states:
4-6
■
ACT—Shows network activity.
■
LINK—Shows that data is passing on the network to which the connector is attached.
Cisco Secure PIX Firewall Advanced 2.1
Copyright 2002, Cisco Systems, Inc.
Identify the PIX Firewall 515 Controls and Connectors This section explains the controls and connectors for the PIX Firewall 515.
Power—When the PIX Firewall has power, the light shines.
■
ACT—When the PIX Firewall is used in a standalone configuration, the light shines. When the PIX Firewall is configured for failover operations, the light shines on the active PIX Firewall.
■
Network—The light shines when at least one network interface is passing traffic.
Copyright 2002, Cisco Systems, Inc.
Identify the Cisco PIX Firewall
4-7
The PIX Firewall 515 100 Mbps LED LINK LINK LED LED
This figure shows the back panels of the PIX Firewall 515. The following lists the PIX Firewall 515 features: ■
Ethernet connections—With software versions 5.2 and higher, any port, whether fixed or a PCI expansion port, and any interface type, FDDI, Token Ring, Fast Ethernet, or Gigabit Ethernet, can be assigned to be the inside or outside network port.
■
Console port—Used to connect a computer to the PIX Firewall for console operations.
■
Failover connection—Used to attach a failover cable between two PIX Firewalls.
■
100 Mbps LED—100 Mbps, 100-baseTX communication for the respective connector. If the light is off, the PIX Firewall 515 uses 10 Mbps data exchange.
■
LINK LED—Indicates that data is passing on the network to which the connector is attached.
■
FDX LED—Indicates that the connection uses full duplex data exchange— data can be transmitted and received simultaneously. If the light is off, half duplex is in effect.
■
Power switch—Controls the power to the PIX Firewall.
Note
4-8
The USB port to the left of the console port and the detachable plate above the Ethernet 1 connector are for future PIX Firewall enhancements.
Cisco Secure PIX Firewall Advanced 2.1
Copyright 2002, Cisco Systems, Inc.
PIX Firewall 515 Quad Card
Using the quad card requires the PIX Firewall 515-UR license.
The quad card is a four-part Ethernet card. When you connect the perimeter network cables to this card, you begin with the far left connector and move to the right. For example, Ethernet 2 will go in the far left connector, Ethernet 3 in the second connector from the left, and so on. Note
Copyright 2002, Cisco Systems, Inc.
The maximum number of interfaces allowed is six. Any additional cards are not recognized.
Identify the Cisco PIX Firewall
4-9
PIX Firewall 515 Two Single-Port Connectors
Using two single-port connectors requires the PIX Firewall 515-UR license.
If your PIX Firewall has one or two single-port Ethernet cards installed in the auxiliary assembly on the left of the PIX Firewall at the rear, the cards are numbered top to bottom so that the top card is Ethernet 2 and the bottom card is Ethernet 3.
4-10
Cisco Secure PIX Firewall Advanced 2.1
Copyright 2002, Cisco Systems, Inc.
Identify the PIX Firewall 520 Controls and Connectors This section explains the controls and connectors for the PIX Firewall 520.
The PIX Firewall 520 cable connectors are in the front of the PIX Firewall; earlier models connect at the rear. The PIX Firewall 520 comes with a 3.5-inch floppy disk drive with the power switch on the rear panel. Two rack-unit spaces are needed to mount a PIX Firewall 520.
This figure represents the front of the PIX Firewall 520 and shows the placement of each single-port connector. When connecting cables with four single-port interfaces on the PIX Firewall, the outside interface card must be in slot 0—the farthest left available slot in the PIX Firewall. The first card to the right of the outside interface is seen by the PIX Firewall as the inside interface card, regardless of location. Note
The assignment of interface sequencing numbers is determined by the position of the quad card. The figure shows a quad card installed in slot 0, slot 1, and slot 2. Notice the difference in the numbering sequence. Example A shows that the quad card is numbered from top to bottom. The topmost connector is the outside interface. Example B shows how the slots are numbered if a single-port interface card is in slot 0 and a quad card is in slot 1. Example C shows how the slots are numbered if a single-port interface card is in slot 0 and slot 1, and a quad card is installed in slot 2.
Copyright 2002, Cisco Systems, Inc.
Identify the Cisco PIX Firewall
4-13
Identify the PIX Firewall 525 Controls and Connectors This section explains the controls and connectors for the PIX Firewall 525.
There are two LEDs on the front panel of the PIX Firewall 525. The LEDs function as follows:
4-14
■
POWER—On when the unit has power.
■
ACT—On when the unit is the active failover unit. If failover is present, the light is on when the unit is the active unit, and off when the unit is in standby mode.
On the back of the PIX Firewall 525, there are three LEDs for each RJ-45 interface port and three types of fixed interface connectors. The LEDs display the following transmission states: ■
100 Mbps—100 Mbps, 100BaseTX communication. If the light is off during network activity, that port is using 10 Mbps data exchange.
■
ACT—Shows network activity.
■
LINK—Shows that data is passing through that interface.
The following are fixed connectors on the back of the PIX Firewall 525: ■
RJ-45—Network and console connectors.
■
DB-15—Failover cable connector.
■
USB—Not used at the present time.
The inside, outside, or perimeter network connections can be made to any available interface port on the PIX Firewall 525. If you are only using the Ethernet 0 and Ethernet 1 ports, connect the inside network cable to the interface connector marked Ethernet 0 or Ethernet 1. Connect the outside network cable to the remaining Ethernet port. If you install optional circuit boards, refer to the following lists of combinations that are available for the PIX Firewall 525. A maximum of six circuit boards can be used with a restricted license, and a maximum of eight circuit boards are possible with the unrestricted license. The following are the PIX Firewall 525 Restricted Interface Options: ■
3 Fast Ethernet
■
2 Fast Ethernet + 1 VPN Accelerator
■
3 Gigabit Ethernet
Copyright 2002, Cisco Systems, Inc.
Identify the Cisco PIX Firewall
4-15
■
2 Gigabit Ethernet + 1 VPN Accelerator
■
1 4-Port Fast Ethernet
■
1 4-Port Fast Ethernet + 1 VPN Accelerator
The following are the PIX Firewall 525 Unrestricted Interface Options: ■
When connecting the network cables to the expansion interface ports, use the following guidelines: the first expansion port number, at the top left, is interface 2. Starting from that port and going from left to right and top to bottom, the next port is interface 3, the next is interface 4, and so on.
4-16
Cisco Secure PIX Firewall Advanced 2.1
Copyright 2002, Cisco Systems, Inc.
Identify the PIX Firewall 535 Controls and Connectors This section explains the controls and connectors for the PIX Firewall 535.
There are two LEDs on the front panel of the PIX Firewall 535. The LEDs function as follows: ■
Power—On when the PIX Firewall has power.
■
ACT—On when the PIX Firewall is the active failover firewall. If failover is present, the light is on when the PIX Firewall is the active firewall and off when the PIX Firewall is in standby mode.
There are three separate buses for the nine interface slots in the PIX Firewall 535. The figure is a reference for the interface slot configuration on the PIX Firewall 535. The slots and buses are configured as follows: ■
Slots 0 and 1—64-bit/66 MHz Bus 0
■
Slots 2 and 3—64-bit/66 MHz Bus 1
■
Slots 4 to 8—32-bit/33 MHz Bus 2
The following practices must be followed to achieve the best possible system performance on the PIX 535 Firewall: ■
PIX-1GE-66 interface cards should be installed first in the 64-bit/66 MHz buses before they are installed in the 32-bit/33 MHz bus. If more than four PIX-1GE-66 cards are needed, they may be installed in the 32-bit/33 MHz bus but with limited potential throughput.
■
PIX-1GE and PIX-1FE cards should be installed first in the 32-bit/33 MHz bus before they are installed in the 64-bit/66 MHz buses. If more than five PIX-1GE and/or PIX-1FE cards are needed, they may be installed in a 64bit/66 MHz bus but doing so will lower that bus speed and limit the potential throughput of any PIX-1GE-66 card installed in that bus.
The PIX-1GE Gigabit Ethernet adaptor is supported in the PIX 535; however, its use is strongly discouraged because maximum system performance with the PIX1GE card is much lower than that with the PIX-1GE-66 card. The software displays a warning at boot time if a PIX-1GE is detected. The following table summarizes the performance considerations of the different interface card combinations.
4-18
Cisco Secure PIX Firewall Advanced 2.1
Copyright 2002, Cisco Systems, Inc.
Interface Card Combination
Installed in Interface Slot Numbers
Potential Throughput
Two to four PIX-1GE-66
0 through 3
Best
PIX-1GE-66 combined with PIX1GE or just PIX-1GE cards
0 through 3
Degraded
Any PIX-1GE-66 or PIX-1GE
4 through 8
Severely degraded
Note
The PIX-4FE and PIX-VPN-ACCEL cards can be installed only in the 32-bit/33 MHz bus and must never be installed in a 64-bit/66 MHz bus. Installation of these cards in a 64-bit/66 MHz bus may cause the system to hang at boot time.
If Stateful Failover is enabled, the interface card and bus used for the Stateful Failover LAN port must be equal to or faster than the fastest card used for the network interface ports. For example, if your inside and outside interfaces are PIX-1GE-66 cards installed in bus 0, then your Stateful Failover interface must be a PIX-1GE-66 card installed in bus 1. A PIX-1GE or PIX-1FE card cannot be used in this case, nor can a PIX-1GE-66 card installed in bus 2 or sharing bus 1 with a slower card.
Copyright 2002, Cisco Systems, Inc.
Identify the Cisco PIX Firewall
4-19
The PIX Firewall 535 DB-15 failover
USB Slot 8 Slot 6 Slot 4 Slot 2 port Console Slot 7 Slot 5 Slot 3 RJ-45
Depending upon the type of interface, there are four possible LEDs for each network interface port. The LEDs for the network interface ports display the following transmission states:
■
100 Mbps—100 Mbps 100BaseTX communication. If the light is off during network activity, that port is using 10 Mbps data exchange. ACT—Shows network activity.
■
LINK—Shows that data is passing through that interface.
■
FDX—Shows that the connection uses full-duplex data exchange where data can be transmitted and received simultaneously. If this light is off, halfduplex is in effect. When connecting the inside, outside, or perimeter network cables to the interface ports on the PIX 535 Firewall, starting from the right and moving left, the connectors are Ethernet 0, Ethernet 1, Ethernet 2, and so forth. ■
Note
4-20
The PIX Firewall 535 is equipped with hot-swappable power supplies. Should a power supply fail, you can remove the power supply without powering off the PIX Firewall 535 unit.
Cisco Secure PIX Firewall Advanced 2.1
Copyright 2002, Cisco Systems, Inc.
Summary This section summarizes what you learned in this chapter.
Summary • The PIX Firewall models 501, 506, 515, 520, 525, and 535 come equipped with Ethernet connections, console connections, and intuitive LEDs. • With software versions 5.2 and higher, restrictions on using specific Ethernet ports as the inside and outside network ports have been removed; however, this revision does not change the rules for port numbering. • PIX Firewall models 515, 520, 525, and 535 come equipped with failover connections.
Overview This chapter includes the following topics: ■
Objectives
■
General maintenance commands
■
ASA security levels
■
The six primary commands
■
Summary
■
Lab exercise
Objectives This section lists the chapter’s objectives.
Objectives Upon completion of this chapter, you will be able to perform the following tasks: • Describe the PIX Firewall access modes. • Describe and execute the PIX Firewall general maintenance commands. • Describe the ASA security levels. • Describe and execute the basic PIX Firewall configuration commands.
The PIX Firewall contains a command set based on the Cisco IOS, and provides four administrative access modes: ■
Unprivileged mode—This mode is available when you first access the PIX Firewall. The > prompt is displayed. This mode enables you to view restricted settings.
■
Privileged mode—This mode displays the # prompt and enables you to change the current settings. Any unprivileged command also works in privileged mode.
■
Configuration mode—This mode displays the (config)# prompt and enables you to change system configurations. All privileged, unprivileged, and configuration commands work in this mode.
■
Monitor mode—This is a special mode that enables you to update the image over the network. While in the monitor mode, you can enter commands specifying the location of the TFTP server and the binary image to download.
Within each access mode, you can abbreviate most commands down to the fewest unique characters for a command. For example, you can enter write t to view the configuration instead of entering the full command write terminal. You can enter en instead of enable to start privileged mode, and co t instead of configuration terminal to start configuration mode. Help information is available from the PIX Firewall command line by entering help or ? to list all commands. If you enter help or ? after a command (for Copyright 2002, Cisco Systems, Inc.
Basic Configuration of the Cisco PIX Firewall
5-3
example, route?), the command syntax is listed. The number of commands listed when you use the question mark or help command differs by access mode so that unprivileged mode offers the least commands and configuration mode offers the greatest number of commands. In addition, you can enter any command by itself on the command line and then press Enter to view the command syntax. Note
5-4
You can create your configuration on a text editor and then cut and paste it into the configuration. You can paste the configuration in a line at a time, or the entire configuration at once. Always check your configuration after pasting large blocks of text to be sure everything has been copied.
Cisco Secure PIX Firewall Advanced 2.1
Copyright 2002, Cisco Systems, Inc.
PIX Firewall Commands
• enable, enable password, and passwd • write erase, write memory, and write term • show interface, show ip address, show memory, show version, and show xlate • exit and reload • hostname, ping, and telnet
There are several general maintenance commands for the PIX Firewall: ■
enable, enable password, and passwd commands—Used for accessing the PIX Firewall software and changing passwords.
■
write erase, write memory, and write term—Used to view system configurations and store new data configurations.
■
show interface, show ip address, show memory, show version, and show xlate—Used to check system configurations and other pertinent information.
■
exit and reload—Used to exit an access mode, reload a configuration, and reboot the system.
■
hostname, ping, and telnet—Used to determine if other IP addresses are visible, change the hostname, specify the internal host for the PIX Firewall, and gain console access.
The enable command enables you to enter the privileged access modes. After you enter enable, the PIX Firewall prompts you for your privileged mode password. By default, a password is not required, so press Enter. After you are in privileged mode, notice that the prompt has changed to #. When you type configure terminal, it brings you into the configuration mode and the prompt changes to (config)#. To exit and return to the previous mode, use the disable, exit, or quit command.
5-6
Cisco Secure PIX Firewall Advanced 2.1
Copyright 2002, Cisco Systems, Inc.
enable password and passwd Commands pixfirewall#
enable password password • The enable password command is used to control access to the privileged mode. pixfirewall#
The enable password command sets the privileged mode password. You are prompted for this password after you enter the enable command. (When the PIX Firewall boots up and you enter the privileged mode, the password prompt appears.) There is no default password, so you can press Enter at the password prompt, or you can create a password of your choice. The password is case-sensitive and can be up to 16 alphanumeric characters long. Any character can be used except the question mark, space, and colon. If you change the password, write it down and store it in a manner consistent with your site’s security policy. After you change this password, you cannot view it again because the password is encrypted. The show enable password command lists the encrypted form of the password. After passwords are encrypted, they cannot be reversed back to plain text. The passwd command enables you to set the password for Telnet access to the PIX Firewall. The default value is cisco. Note
Copyright 2002, Cisco Systems, Inc.
Any empty password is also changed into an encrypted string.
Basic Configuration of the Cisco PIX Firewall
5-7
write Commands The following are the write commands: • write net • write erase • write floppy • write memory • write standby • write terminal
The write command enables you to write (store) system configurations to memory, view system configurations, and erase current configurations. The following are the write commands: ■
write net—Stores the current configuration into a file on a TFTP server or elsewhere in the network.
■
write erase—Clears the Flash memory configuration.
■
write floppy—Stores the current configuration on diskette (the PIX Firewall 520 and earlier models have a 3.5-inch floppy disk drive).
Note
5-8
If you are formatting a floppy diskette from a Windows operating system, choose the full-format type and not the quick-erase selection. The diskette you create can only be read or written by the PIX Firewall. If you use the write floppy command with a diskette that is not a PIX Firewall boot disk, do not leave it in the floppy drive because it will prevent the firewall from rebooting in the event of a power failure or system reload. Only one copy of the configuration can be stored on a single diskette.
■
write memory—Saves the current running configuration to Flash memory.
■
write standby—Writes the configuration stored in RAM on the active failover PIX Firewall, to the RAM on the standby PIX Firewall. When the active PIX Firewall boots, it automatically writes the configuration to the standby PIX Firewall. Use this command to force the active PIX Firewall’s configuration to the standby PIX Firewall.
■
write terminal—Displays the current configuration on the terminal.
Cisco Secure PIX Firewall Advanced 2.1
Copyright 2002, Cisco Systems, Inc.
telnet Commands pixfirewall(config)#
telnet ip_address [netmask] [if_name] • Enables you to specify which hosts can access the PIX Firewall console via Telnet pixfirewall(config)#
kill telnet_id • Terminates a Telnet session pixfirewall(config)#
The following are the different Telnet commands: ■
telnet—Enables you to specify which hosts can access the PIX Firewall console via Telnet. You can specify a host on any of the internal network interfaces that can access the console via Telnet, but you cannot specify hosts on the outside network interfaces. Up to 16 hosts or networks are allowed simultaneous access to the PIX Firewall console via Telnet. –
show telnet—Displays the current lists of IP addresses authorized to access the PIX Firewall via Telnet.
–
clear telnet and no telnet—Removes Telnet access from a previously authorized IP address.
–
telnet timeout—Sets the maximum time a console Telnet session can be idle before being logged off by the PIX Firewall.
■
kill—Terminates a Telnet session. When you kill a Telnet session, the PIX Firewall lets any active commands terminate and then drops the connection without warning the user.
■
who—Enables you to view which IP addresses are currently accessing the PIX Firewall console via Telnet.
The syntax of these commands follows: telnet ip_address [netmask] [if_name] clear telnet [ip_address [netmask] [if_name]] no telnet [ip_address [netmask] [if_name]] telnet timeout minutes kill telnet_id who local_ip
Copyright 2002, Cisco Systems, Inc.
Basic Configuration of the Cisco PIX Firewall
5-9
5-10
ip_address
An IP address of a host or network that can access the PIX Firewall Telnet console. If an interface name is not specified, the address is assumed to be on an internal interface. The PIX Firewall automatically verifies the IP address against the IP addresses specified by the ip address commands to ensure that the address you specify is on an internal interface. If an interface name is specified, the PIX Firewall only checks the host against the interface you specify.
netmask
The bit mask of ip_address. To limit access to a single IP address, use 255 in each octet (for example, 255.255.255.255). If you do not specify the netmask, it defaults to 255.255.255.255 regardless of the class of local_ip. Do not use the subnetwork mask of the internal network. The netmask is only a bit mask for the IP address in ip_address.
if_name
If IPSec is operating, the PIX Firewall enables you to specify an unsecure interface name, typically, the outside interface. At a minimum, the crypto map command must be configured to specify an interface name with the telnet command.
minutes
The number of minutes that a Telnet session can be idle before being closed by the PIX Firewall. The default is 5 minutes. The range is 1 to 60 minutes.
telnet_id
The Telnet session identification.
local_ip
An optional internal IP address to limit the listing to one IP address or to a network IP address.
Cisco Secure PIX Firewall Advanced 2.1
Copyright 2002, Cisco Systems, Inc.
http Commands pixfirewall(config)#
http ip_address [netmask] [if_name] • Enables you to specify the clients that are allowed to access the PIX Firewall’s HTTP server pixfirewall(config)#
http server enable • Enables the PIX Firewall HTTP server
The http commands allow you to enable the PIX Firewall HTTP server and specify the clients that are allowed to access it. The HTTP server must be enabled to configure and monitor the PIX Firewall through the PIX Device Manager (PDM). PDM is discussed in Chapter 16. Use the http server enable command to enable the PIX Firewall’s HTTP server. Specify the clients that are allowed to access it with the http ip_address command. Both commands can be disabled with their no forms. The clear http command removes all HTTP hosts and disables the server. The syntax of the http commands follows: http ip_address [netmask] [if_name] http server enable ip_address
Specifies the host or network authorized to initiate an HTTP connection to the PIX Firewall.
netmask
Specifies the network mask for the http ip_address. If you do not specify a netmask, the default is 255.255.255.255 regardless of the class of IP address.
if_name
The PIX Firewall interface name on which the host or network initiating the HTTP connection resides. The default if_name is inside.
The hostname command changes the hostname label on the prompts. The hostname can be up to 16 alphanumeric characters and upper- and lower-case. The default hostname is pixfirewall. The ping command determines if the PIX Firewall has connectivity, or if a host is available (visible to the PIX Firewall) on the network. The command output shows if the ping was received. If the ping was received, then the host exists on the network. If the ping was not received, the command output displays “NO response received”. (At this time, you would use the show interface command to ensure that the PIX Firewall is connected to the network and is passing traffic.) By default, the ping command makes three attempts to reach an IP address. If you want internal hosts to be able to ping external hosts, you must create an ICMP conduit for echo reply. This will be discussed later in another chapter. If you are pinging through the PIX Firewall between hosts or routers and the pings are not successful, use the debug icmp trace command to monitor the success of the ping. After your PIX Firewall is configured and operational, you will not be able to ping the inside interface of the PIX Firewall from the outside network or from the outside interfaces of the PIX Firewall. If you can ping the inside networks from the inside interface and if you can ping the outside networks from the outside interface, the PIX Firewall is functioning normally and your routes are correct.
5-12
Cisco Secure PIX Firewall Advanced 2.1
Copyright 2002, Cisco Systems, Inc.
show Commands The following are show commands: • show history • show memory show?
The show command enables you to view command information. This command is usually combined with another command to show system information for that command. You can enter either show or ? to view the names of the show commands and their descriptions. The following are examples of different show commands: ■
show history—Displays previously entered lines.
■
show memory—Displays a summary of the maximum physical memory and current free memory available to the PIX Firewall.
■
show version—Enables you to view the PIX Firewall’s software version, operating time since its last reboot, processor type, Flash memory type, interface boards, and serial number (BIOS ID).
Note
The serial number listed with the show version command in version 5.2 and later is for the Flash memory BIOS. This number is different from the serial number on the chassis. When you upgrade your software, you will need the serial number that appears in the show version command rather than the one on the chassis.
■
show xlate—Displays the translation slot information.
■
show cpu usage—Displays CPU use. This command is permitted from the privileged or configuration mode.
In the following example output for the show cpu usage command, p1 is the percentage of CPU used for 5 seconds, p2 is the average percentage of CPU use for 1 minute, and p3 is the average percentage utilization for 5 minutes: CPU utilization for 5 seconds: p1%; 1 minute: p2%; 5 minutes: p3%
Copyright 2002, Cisco Systems, Inc.
Basic Configuration of the Cisco PIX Firewall
5-13
The percentage of usage is shown as NA (not available) if the usage is not available for any of the time intervals. This can happen if the user asks for CPU usage before the 5-second, 1-minute, or 5-minute time interval has elapsed.
5-14
Cisco Secure PIX Firewall Advanced 2.1
Copyright 2002, Cisco Systems, Inc.
show interface Command pixfirewall# show interface interface ethernet0 “outside” is up, line protocol is up hardware is i82557 ethernet, address is 0060.7380.2f16 ip address 192.168.0.2, subnet mask 255.255.255.0 MTU 1500 bytes, BW 1000000 Kbit half duplex 1184342 packets input, 1222298001 bytes, 0 no buffer received 26 broadcasts, 27 runts, 0 giants 4 input errors, 0 crc, 4 frame, 0 overrun, 0 ignored, 0 abort 1310091 packets output, 547097270 bytes, 0 underruns 0 unicast rpf drops 0 output errors, 28075 collisions, 0 interface resets 0 babbles, 0 late collisions, 117573 deferred 0 lost carrier, 0 no carrier input queue (curr/max blocks): hardware (128/128) software (0/1) output queue (curr/max blocks): hardware (0/2) software (0/1)
The show interface command enables you to view network interface information. This is one of the first commands you should use when trying to establish connectivity. The following are explanations of the information that is displayed after entering the show interface command: ■
Ethernet—Indicates that you have used the interface command to configure the interface. The statement indicates whether the interface is inside or outside, and whether the interface is available (“up”) or not available (“down”).
■
Line protocol up—A working cable is plugged into the network interface.
■
Line protocol down—Either the cable plugged into the network interface is incorrect, or it is not plugged into the interface connector.
■
Network interface type—Identifies the network interface.
■
Interrupt vector—It is acceptable for interface cards to have the same interrupts because the PIX Firewall uses interrupts to get Token Ring information, but polls Ethernet cards.
■
MAC address—Intel cards begin with “i” and 3Com cards begin with “3c”.
■
MTU (maximum transmission unit)—The size in bytes that data can best be sent over the network.
■
Packets input—Indicates that packets are being received in the PIX Firewall.
■
Packets output—Indicates that packets are being sent from the PIX Firewall.
■
Line duplex status—Indicates whether the PIX Firewall is running either full duplex (simultaneous packet transmission) or half duplex (alternating packet transmission).
Copyright 2002, Cisco Systems, Inc.
Basic Configuration of the Cisco PIX Firewall
5-15
■
Line speed—10baseT is listed as 10000 Kbit. 100baseTX is listed as 100000 Kbit.
The following are explanations of show interface command output that can indicate interface problems: ■
No buffer—Indicates the PIX Firewall is out of memory or slowed down due to heavy traffic and cannot keep up with the received data.
■
Runts—Packets with less information than expected.
■
Giants—Packets with more information than expected.
■
CRC (cyclic redundancy check)—Packets that contain corrupted data (checksum error).
■
Frame errors—Indicates framing errors.
■
Ignored and aborted errors—This information is provided for future use, but is not currently checked; the PIX Firewall does not ignore or abort frames.
■
Underruns—Occurs when the PIX Firewall is overwhelmed and cannot get data fast enough to the network interface card.
■
Overruns—Occurs when the network interface card is overwhelmed and cannot buffer received information before more needs to be sent.
■
Unicast rpf drops—Occurs when packets sent to a single network destination using reverse path forwarding are dropped.
■
Output errors—(Maximum collisions.) The number of frames not transmitted because the configured maximum number of collisions was exceeded. This counter should only increment during heavy network traffic.
■
Collisions—(Single and multiple collisions.) The number of messages retransmitted due to an Ethernet collision. This usually occurs on an overextended LAN when the Ethernet or transceiver cable is too long, there are more than two repeaters between stations, or there are too many cascaded multiport transceivers. A packet that collides is counted only once by the output packets.
■
Interface resets—The number of times an interface has been reset. If an interface is unable to transmit for three seconds, the PIX Firewall resets the interface to restart transmission. During this interval, the connection state is maintained. An interface reset can also happen when an interface is looped back or shut down.
■
Babbles—The transmitter has been on the interface longer than the time taken to transmit the largest frame. This counter is unused.
■
Late collisions—The number of frames that were not transmitted because a collision occurred outside the normal collision window. A late collision is a collision that is detected late in the transmission of the packet. Normally, these should never happen. When two Ethernet hosts try to talk at once, they should collide early in the packet and both back off, or the second host should see that the first one is talking and wait. If you get a late collision, a device is jumping in and trying to send on the Ethernet while the PIX Firewall is partly finished sending the packet. The PIX Firewall does not resend the packet, because it may have freed the buffers that held the first part of the packet. This is not a real problem
5-16
Cisco Secure PIX Firewall Advanced 2.1
Copyright 2002, Cisco Systems, Inc.
because networking protocols are designed to cope with collisions by resending packets. However, late collisions indicate a problem exists in your network. Common problems are large repeated networks and Ethernet networks running beyond the specification. ■
Deferred—The number of frames that were deferred before transmission due to activity on the link.
■
Lost carrier—The number of times the carrier signal was lost during transmission.
■
No carrier—This counter is unused.
■
Input queue—This is the input (receive) hardware and software queue.
■
–
Hardware—(Current and maximum blocks.) The number of blocks currently present on the input hardware queue, and the maximum number of blocks previously present on that queue.
–
Software—(Current and maximum blocks.) The number of blocks currently present on the input software queue, and the maximum number of blocks previously present on that queue.
Output queue—This is the output (transmit) hardware and software queue. –
Hardware—(Current and maximum blocks.) The number of blocks currently present on the output hardware queue, and the maximum number of blocks previously present on that queue.
–
Software—(Current and maximum blocks.) The number of blocks currently present on the output software queue, and the maximum number of blocks previously present on that queue.
Note
The following counters are only valid for Ethernet interfaces: output errors, collisions, interface resets, babbles, late collisions, deferred, lost carrier, and no carrier.
Note
Starting with PIX Firewall software version 6.0(1), FDDI, PL2, and Token Ring interfaces are not supported.
Copyright 2002, Cisco Systems, Inc.
Basic Configuration of the Cisco PIX Firewall
5-17
show ip address Command
pixfirewall# show ip address Building configuration…… System IP Addresses: ip address outside 192.168.0.2 255.255.255.0 ip address inside 10.0.0.1 255.255.255.0 ip address dmz 172.16.0.1 255.255.255.0 Current IP Addresses: ip address outside 192.168.0.2 255.255.255.0 ip address inside 10.0.0.1 255.255.255.0 ip address dmz 172.16.0.1 255.255.255.0
The show ip address command enables you to view which IP addresses are assigned to the network interfaces. The current IP addresses are the same as the system IP addresses on the failover active unit. When the active unit fails, the current IP address becomes that of the standby unit.
5-18
Cisco Secure PIX Firewall Advanced 2.1
Copyright 2002, Cisco Systems, Inc.
name Command pixfirewall(config)# DMZ DMZ
name ip_address name • Configures a list of name-to-IP address mappings on the PIX Firewall
pixfirewall(config)# name 172.16.0.2 bastionhost
192.168.0.0/24 e0 .2 e1 .1
e2 .1
.2
Bastion host
172.16.0.0/24
10.0.0.0/24
• The use of this command configures a list of name-to-IP address mappings on the PIX Firewall
The use of the name command enables you to configure a list of name-to-IP address mappings on the PIX Firewall. This allows the use of names in the configuration instead of the IP address. You can specify a name by using the following syntax: name ip_address name ip_address
The IP address of the host being named.
name
The name assigned to the IP address. Allowable characters are a to z, A to Z, 0 to 9, a dash, and an underscore. The name cannot start with a number. If the name is over 16 characters long, the name command fails.
Allowable characters for the name are a to z, A to Z, 0 to 9, a dash ( - ), and an underscore ( _ ). The name cannot start with a number. If the name is over 16 characters long, the name command fails.After the name is defined, it can be used in any PIX Firewall command references in place of an IP address.The names command enables the use of the name command. You must first use the names command before using the name command. The clear names and no names commands are the same, and disable use of the name text strings. The show names command lists the name command statements in the configuration.
Copyright 2002, Cisco Systems, Inc.
Basic Configuration of the Cisco PIX Firewall
5-19
ASA Security Levels This section discusses the Adaptive Security Algorithm (ASA) and the ASA security levels.
Functions of the Adaptive Security Algorithm • Implements stateful connection control through the PIX Firewall • Allows one-way (inside to outside) connections without an explicit configuration for each internal system and application • Monitors return packets to ensure they are valid • Randomizes the TCP sequence number to minimize the risk of attack
The ASA is a stateful approach to security. Every inbound packet is checked against the ASA and against connection state information in the PIX Firewall’s memory. Knowledge of the ASA is fundamental to implementing Internet access security because it performs the following tasks: ■
Implements stateful connection control through the PIX Firewall
■
Allows one-way (inside to outside) connections without an explicit configuration for each internal system application
■
Monitors return packets to ensure they are valid
■
Randomizes the TCP sequence number to minimize the risk of attack
ASA maintains the secure perimeters between the networks controlled by the PIX Firewall. The stateful connection-oriented ASA design creates session flows based on source and destination addresses. ASA randomizes TCP sequence numbers, port numbers, and TCP flags before the completion of the connection. This function is always running, monitoring return packets to ensure that they are valid.
5-20
Cisco Secure PIX Firewall Advanced 2.1
Copyright 2002, Cisco Systems, Inc.
ASA Security Level Example Outside network e0 e0 •• Security Security level level 00 •• Interface Interface name name == outside outside
Internet
e0 PIX Firewall e1
e2
Inside network
Perimeter network
e1 e1 •• Security Security level level 100 100 •• Interface Interface name name == inside inside
e2 e2 •• Security Security level level 50 50 •• Interface Interface name name == pix/intf2 pix/intf2
The security level designates whether an interface is inside (trusted) or outside (untrusted) relative to another interface. An interface is considered inside in relation to another interface if its security level is higher than the other interface’s security level, and is considered outside in relation to another interface if its security level is lower than the other interface’s security level. The primary rule for security levels is that an interface with a higher security level can access an interface with a lower security level. Conversely, an interface with a lower security level cannot access an interface with a higher security level without a conduit (which is discussed later). Security levels range from 0 to 100, and the following are more specific rules for these security levels: ■
Security level 100—This is the highest security level for the inside interface of the PIX Firewall. This is the default setting for the PIX Firewall and cannot be changed. Because 100 is the most trusted interface security level, your corporate network should be set up behind it. This is so that no one else can access it unless they are specifically given permission, and so that every device behind this interface can have access outside the corporate network.
■
Security level 0—This is the lowest security level for the outside interface of the PIX Firewall. This is the default setting for the PIX Firewall and cannot be changed. Because 0 is the least trusted interface security level, you should set your most untrusted network behind this interface so that it does not have access to other interfaces unless it is specifically given permission. This interface is usually used for your Internet connection.
■
Security levels 1−99—These are the security levels that you can assign to the perimeter interfaces connected to the PIX Firewall. You assign the security levels based on the type of access you want each device to have.
The following are examples of different interface connections between the PIX Firewall and other perimeter devices:
Copyright 2002, Cisco Systems, Inc.
Basic Configuration of the Cisco PIX Firewall
5-21
■
More secure interface (the higher security level) to a less secure interface (the lower security level)—Traffic originating from the inside interface of the PIX Firewall with a security level of 100 to the outside interface of the PIX Firewall with a security level of 0 follows this rule: allow all IP-based traffic unless restricted by access lists, authentication, or authorization.
■
Less secure interface (lower security level) to a more secure interface (higher security level)—Traffic originating from the outside interface of the PIX Firewall with a security level of 0 to the inside interface of the PIX Firewall with a security level of 100 follows this rule: drop all packets unless specifically allowed by the conduit command. Further restrict the traffic if authentication and authorization is used.
■
Same secure interface to a same secure interface—No traffic flows between two interfaces with the same security level.
The following table explains the diagram in the previous figure. Interface Pair
Configuration Guidelines
Outside security 0 to DMZ security 50
DMZ is considered inside
Statics and conduits must be configured to enable sessions originated from the outside interface to the DMZ interface.
Inside security 100 to DMZ security 50
DMZ is considered outside
Globals and NAT are configured to enable sessions originated from the inside interface to the DMZ interface. Statics may be configured for the DMZ interface to ensure service hosts have the same source address.
Note
5-22
Relative Interface Relationship for Ethernet 2 (DMZ) Interface
The PIX Firewall can have up to six perimeter networks for a total of eight interfaces.
Cisco Secure PIX Firewall Advanced 2.1
Copyright 2002, Cisco Systems, Inc.
The Six Primary Commands This section contains the six primary commands needed to make the PIX Firewall operational.
PIX Firewall Primary Commands There are six primary configuration commands for the PIX Firewall: • • • • • •
There are six primary configuration commands for the PIX Firewall: ■
nameif—Assigns a name to each perimeter interface and specifies its security level.
■
interface—Configures the type and capability of each perimeter interface.
■
ip address—Assigns an IP address to each interface.
■
nat—Shields IP addresses on the inside network from the outside network.
■
global—Shields IP addresses on the inside network from the outside network using a pool of IP addresses.
■
route—Defines a static or default route for an interface.
Copyright 2002, Cisco Systems, Inc.
Basic Configuration of the Cisco PIX Firewall
5-23
Command 1: nameif pixfirewall(config)#
nameif hardware_id if_name security_level • The nameif command assigns a name to each perimeter interface on the PIX Firewall and specifies its security level.
The command nameif assigns a name to each perimeter interface on the PIX Firewall and specifies its security level (except for the inside and outside PIX Firewall interfaces, which are named by default). The syntax for the nameif command is as follows: nameif hardware_id if_name security_level hardware_id
Specifies a perimeter interface and its slot location on the PIX Firewall. There are three interfaces that you can enter here: Ethernet, FDDI, or Token Ring. Each interface is represented by an alphanumeric identifier based on which interface it is and what numeric identifier you choose to give it. For example, an Ethernet interface is represented as e1, e2, e3, and so on; a FDDI interface is represented as fddi1, fddi2, fddi3, and so on; and a Token Ring interface is represented as token-ring1, token-ring2, and token-ring3, and so on.
5-24
if_name
Describes the perimeter interface. This name is assigned by you, and must be used in all future configuration references to the perimeter interface.
security_level
Indicates the security level for the perimeter interface. Enter a security level of 1−99.
Cisco Secure PIX Firewall Advanced 2.1
Copyright 2002, Cisco Systems, Inc.
Command 2: interface pixfirewall(config)#
interface hardware_id hardware_speed • The interface command configures the type and capability of each perimeter interface.
pixfirewall(config)# interface ethernet0 100full pixfirewall(config)# interface ethernet1 100full • The outside and inside interfaces are set for 100 Mbps Ethernet full-duplex communication.
The interface command identifies hardware, sets its hardware speed, and enables the interface. When an additional Ethernet interface card is installed on the PIX Firewall, the PIX Firewall automatically recognizes the additional card. The syntax for the interface command is as follows: interface hardware_id hardware_speed [shutdown] hardware_id
Specifies an interface and its slot location on the PIX Firewall. This is the same variable that was used during the nameif command.
hardware_speed
Determines the connection speed. Possible Ethernet values are as follow:
Copyright 2002, Cisco Systems, Inc.
■
10baset—Set for 10 Mbps Ethernet halfduplex communication.
■
10full—Set for 10 Mbps Ethernet fullduplex communication.
■
100basetx—Set for 100 Mbps Ethernet half-duplex communication.
■
100full—Set for 100 Mbps Ethernet fullduplex communication.
■
1000sxfull—Set for 1000 Mbps Gigabit Ethernet full-duplex operation.
■
1000basesx—Set for 1000 Mbps Gigabit Ethernet half-duplex operation.
■
1000auto—Set for 1000 Mbps Gigabit Ethernet to auto-negotiate full- or halfduplex. It is recommended that you do not use this option to maintain compatibility with switches and other devices in your network.
Basic Configuration of the Cisco PIX Firewall
5-25
■
aui—Set 10 for Mbps Ethernet half-duplex communication with an AUI cable interface.
■
auto—Set Ethernet speed automatically. The auto keyword can only be used with the Intel 10/100 automatic speed sensing network interface card.
■
bnc—Set for 10 Mbps Ethernet half-duplex communication with a BNC cable interface.
Possible Token Ring values are as follow:
shutdown
■
4mbps—4 Mbps data transfer speed. You can specify this as 4.
■
16mbps—(Default.) 16 Mbps data transfer speed. You can specify this as 16.
Administratively shuts down the interface.
Although the hardware speed is set to automatic speed sensing by default, it is recommended that you specify the speed of the network interfaces. This enables the PIX Firewall to operate in network environments that may include switches or other devices that do not handle auto sensing correctly. Note
5-26
When a FDDI or Token Ring interface card is installed using the interface command, you must define the FDDI or Token Ring interface card because the PIX Firewall does not automatically recognize it. Starting with PIX Firewall software version 6.0(1), FDDI, PL2, and Token Ring interfaces are not supported.
Cisco Secure PIX Firewall Advanced 2.1
Copyright 2002, Cisco Systems, Inc.
Command 3: ip address
pixfirewall(config)#
ip address if_name ip_address [netmask] • The ip address command assigns an IP address to each interface.
pixfirewall(config)# ip address dmz 172.16.0.1 255.255.255.0
Each interface on the PIX Firewall must be configured with an IP address. The syntax for the ip address command is as follows: ip address if_name ip_address [netmask] if_name
Describes the interface. This name is assigned by you, and must be used in all future configuration references to the interface.
ip_address
The IP address of the interface.
netmask
If a network mask is not specified, the default network mask is assumed.
After configuring the IP address and netmask, use the show ip command to view which addresses are assigned to the network interfaces. If you made a mistake while entering the information, reenter the command with the correct information.
Copyright 2002, Cisco Systems, Inc.
Basic Configuration of the Cisco PIX Firewall
5-27
Command 4: nat pixfirewall(config)#
nat [(if_name)] nat_id local_ip [netmask] • The nat command shields IP addresses on the inside network from the outside network.
Network address translation (NAT) enables you to keep your internal IP addresses—those behind the PIX Firewall—unknown to external networks. NAT accomplishes this by translating the internal IP addresses, which are not globally unique, into globally accepted IP addresses before packets are forwarded to the external network. The syntax for the nat command is as follows: nat [(if_name)] nat_id local_ip [netmask] if_name
Describes the internal network interface name where you will use the global addresses.
nat_id
Identifies the global pool and matches it with its respective nat command.
local_ip
The IP address that is assigned to the interface on the inside network.
netmask
Network mask for the local IP address. You can use 0.0.0.0 to allow all outbound connections to translate with IP addresses from the global pool.
When you initially configure the PIX Firewall, you can enable all inside hosts to access outbound connections with the nat 1 0.0.0.0 0.0.0.0 command. The nat 1 0.0.0.0 0.0.0.0 command enables NAT and lets all inside hosts (specified as 0.0.0.0) access outbound connections. The nat command can specify single hosts or ranges of hosts to make access more selective. 0 can be used in place of 0.0.0.0.
5-28
Cisco Secure PIX Firewall Advanced 2.1
Copyright 2002, Cisco Systems, Inc.
NAT Example Inside Source addr
Outside Source addr
10.0.0.3
Destination addr 200.200.200.10 200.200.200.10
Destination addr 200.200.200.10 Source port Destination port
When an outbound IP packet that is sent from a device on the inside network reaches the PIX Firewall, the source address is extracted and compared to an internal table of existing translations. If the device’s address is not already in the table, it is then translated: a new entry is created for that device and it is assigned a global IP address from a pool of global IP addresses. After this translation occurs, the table is updated and the translated IP packet is forwarded. After a userconfigurable timeout period (or the default of two minutes), during which there have been no translated packets for that particular IP address, the entry is removed from the table, and the global address is freed for use by another inside device.
Copyright 2002, Cisco Systems, Inc.
Basic Configuration of the Cisco PIX Firewall
5-29
Command 5: global pixfirewall(config)#
global[(if_name)] nat_id {global_ip[-global_ip] [netmask global_mask]} | interface • Works with the nat command to assign a registered or public IP address to an internal host when accessing the outside network through the firewall
pixfirewall(config)# nat (inside) 1 0.0.0.0 0.0.0.0 pixfirewall(config)# global (outside) 1 192.168.0.20-192.168.0.254 • When internal hosts access the outside network through the firewall, they are assigned public addresses from the 192.168.0.20–192.168.0.254 range
The syntax for the global command is as follows: global [(if_name)] nat_id global_ip [-global_ip] [netmask global_mask] | interface if_name
Describes the external network interface name where you will use the global addresses.
nat_id
Identifies the global pool and matches it with its respective nat command.
global_ip
Single IP addresses or the beginning IP address for a range of global IP addresses.
-global_ip
A range of global IP addresses.
netmask global_mask
The network mask for the global_ip address. If subnetting is in effect, use the subnet mask (for example, 255.255.255.128). If you specify an address range that overlaps subnets with the netmask command, this command will not use the broadcast or network address in the pool of global addresses. For example, if you use 255.255.255.128 and an address range of 192.150.50.20−192.150.50.140, the 192.150.50.127 broadcast address and the 192.150.50.128 network address will not be included in the pool of global addresses.
interface
Specifies PAT using the IP address at the interface.
If the nat command is used, the companion command, global, must be configured to define the pool of translated IP addresses. To delete a global entry, use the no global command. For example, no global (outside) 1 192.168.1.20− −192.168.1.254 netmask 255.255.255.0.
5-30
Cisco Secure PIX Firewall Advanced 2.1
Copyright 2002, Cisco Systems, Inc.
Note
The PIX Firewall assigns addresses from the global pool starting from the low end to the high end of the range specified in the global command.
Note
The PIX Firewall uses the global addresses to assign a virtual IP address to an internal NAT address. After adding, changing, or removing a global statement, use the clear xlate command to make the IP addresses available in the translation table.
Copyright 2002, Cisco Systems, Inc.
Basic Configuration of the Cisco PIX Firewall
5-31
Two Interfaces with NAT (Multiple Internal Networks) Internet
In the previous figure, the first nat statement permits all hosts on the 10.0.0.0 network to start outbound connections using the IP addresses from a global pool. The second nat statement permits all hosts on the 10.1.0.0 network to do the same. The nat_id in the first nat statement tells the PIX Firewall to translate the 10.0.0.0 addresses to those in the global pool containing the same nat_id. Likewise, the nat_id in the second nat statement tells the PIX Firewall to translate addresses for hosts on network 10.1.0.0 to the addresses in the global pool containing nat_id.
5-32
Cisco Secure PIX Firewall Advanced 2.1
Copyright 2002, Cisco Systems, Inc.
Three Interfaces with NAT Internet
Pod perimeter router
.1 192.168.0.0/24
e0 outside .2 security level 0
PIX Firewall e1 inside .1 security level 100
e2 dmz .1 security level 50
172.16.0.0/24 Bastion host, and web and FTP server
.2
172.26.26.50 Backbone, web, FTP, and TFTP server
10.0.0.0 /24 .3 Inside host, and web and FTP server
In the previous figure, the first nat statement enables hosts on the inside interface, which has a security level of 100, to start connections to hosts on interfaces with lower security levels. In this case, that includes hosts on the outside interface and hosts on the DMZ. The second nat statement enables hosts on the DMZ, which has a security level of 50, to start connections to hosts on interfaces with lower security levels. In this case, that includes only the outside interface. Because both global pools and the nat (inside) statement, use a nat_id of 1. Addresses for hosts on the 10.0.0.0 network can be translated to those in either global pool. Therefore, when users on the inside interface access hosts on the DMZ, their source addresses will be translated to addresses in the 172.16.0.2−172.16.0.254 range from the global (dmz) statement. When they access hosts on the outside, their source addresses will be translated to addresses in the 192.168.0.20−192.168.0.254 range from the global (outside) statement. When users on the DMZ access hosts on the outside, their source addresses will always be translated to addresses in the 192.168.0.20−192.168.0.254 range from the global (outside) statement. The global (dmz) statement gives inside users access to the web server on the DMZ interface.
Copyright 2002, Cisco Systems, Inc.
Basic Configuration of the Cisco PIX Firewall
5-33
Command 6: route
pixfirewall(config)#
route if_name ip_address netmask gateway_ip [metric] • The route command defines a static or default route for an interface.
The syntax for the route command is as follows: route if_name ip_address netmask gateway_ip [metric] if_name
Describes the internal or external network interface name.
ip_address
Describes the internal or external network IP address. Use 0.0.0.0 to specify a default route. The 0.0.0.0 IP address can be abbreviated as 0.
netmask
Specifies a network mask to apply to ip_address. Use 0.0.0.0 to specify a default route. The 0.0.0.0 netmask can be abbreviated as 0.
gateway_ip
Specifies the IP address of the gateway router (the next hop address for this route).
metric
Specifies the number of hops to gateway_ip. If you are not sure, enter 1. Your WAN administrator can supply this information or you can use a traceroute command to obtain the number of hops. The default is 1 if a metric is not specified.
All routes entered using the route command are stored in the configuration when it is saved. In the example shown in the figure, all outgoing packets are sent to the 192.168.1.1 router IP address. More than one route can be configured.
5-34
Cisco Secure PIX Firewall Advanced 2.1
Copyright 2002, Cisco Systems, Inc.
Summary This section summarizes the information you learned in this chapter.
Lab Exercise―Configure the PIX Firewall and Execute General Maintenance Commands Complete the following lab exercises to practice what you have learned in this chapter.
Objectives In this lab exercise, you will complete the following tasks: ■
Familiarize yourself with the general maintenance commands.
■
Configure basic PIX Firewall features to protect Internet access to an enterprise network.
■
Test and verify basic PIX Firewall operation.
Copyright 2002, Cisco Systems, Inc.
Basic Configuration of the Cisco PIX Firewall Lab 5-1
Visual Objective The following illustration displays the lab topology for your classroom environment. You will use the IP addresses in this visual objective for the remainder of the course.
Lab Visual Objective Internet
Pod perimeter router .1 192.168.P.0/24 e0 outside .2 172.16.P.0/24
PIX Firewall
.2
e2 dmz .1 Bastion host, web and FTP server
e1 inside .1
10.0.P.0 /24 .3 172.26.26.50 Backbone, web, FTP, and TFTP server
Setup Before starting this lab exercise, make sure the PIX Firewall is turned on and that the PC is connected to the PIX Firewall.
Directions You will assign IP addresses and review all entries. You will also execute general maintenance commands necessary for proper PIX Firewall operation. Substitute your pod number wherever you see the letter P. Perform the following steps in this lab exercise: ■
View the default configuration of the PIX Firewall.
■
Answer written lab questions.
■
Configure the PIX Firewall interfaces.
■
Test the inside, outside, and DMZ interface connectivity.
■
Configure global addresses, NAT, and routing for inside and outside interfaces.
Lab 5-2 Cisco Secure PIX Firewall Advanced 2.1
Copyright 2002, Cisco Systems, Inc.
Task 1—Execute General Commands To familiarize yourself with the general maintenance commands, complete the following. Step 1
The instructor will provide you with the procedures for access to the PIX Firewall console port, as this will vary according to your lab connectivity. After you access the PIX Firewall console port, the PIX Firewall prompt appears. pixfirewall>
Step 2
Display the list of help commands: pixfirewall> ?
Q 1) What is the first command available? A) enable Step 3
Enter the privileged mode of the PIX Firewall. When prompted for a password press Enter. pixfirewall> enable password: pixfirewall#
Step 4
Display the list of help commands at this point: pixfirewall# ?
Q 2) What is the first command available? Step 5
A) arp Use the write terminal command to display the PIX Firewall configuration to the terminal screen: pixfirewall# write terminal
Q 3) Look at the default values on the terminal screen and fill out the following table. Ethernet 0
Ethernet 1
Ethernet 2
Interface Name
outside
inside
intf2
Security Level
0
100
10
Step 6
Enter the show memory command: pixfirewall# show memory
Q 4) What information is shown on the terminal screen? Step 7
A) 67108864 bytes total, 50589696 bytes free Enter the show version command: pixfirewall# show version
Q 5) What information is shown on the terminal screen? A) Cisco Secure PIX Firewall Version 5.3(1) Copyright 2002, Cisco Systems, Inc.
Basic Configuration of the Cisco PIX Firewall Lab 5-3
Step 8
Enter the show history command: pixfirewall# show history
Q 6) What information is shown on the terminal screen? A) enable B) write terminal C) show memory D) show version E) show history Step 9
Enter the configuration mode and change the hostname to pixP (where P = pod number) using the hostname command: pixfirewall# configure terminal pixfirewall(config)# pixfirewall(config)# hostname pixP pixP(config)# exit pixP# write memory
Task 2—Configure PIX Firewall Interfaces To configure PIX Firewall Ethernet interfaces, complete the following steps: Step 1
Change to configuration mode: pixP# configure terminal
Step 2
Assign the PIX Firewall DMZ interface a name (dmz) and security level (50): pixP(config)# nameif e2 dmz security50 pixP(config)# show nameif nameif ethernet0 outside security0 nameif ethernet1 inside security100 nameif ethernet2 dmz security50 nameif ethernet3 intf3 security15 nameif ethernet4 intf4 security20 nameif ethernet5 intf5 security25
Step 3
Enable the Ethernet 0, Ethernet 1, and Ethernet 2 interfaces for 100 Mbps Ethernet full duplex communication. Note
By default the interfaces are disabled. You must enable all interfaces you intend to use.
pixP(config)# interface e0 100full pixP(config)# interface e1 100full pixP(config)# interface e2 100full pixP(config)# show interface interface ethernet0 "outside" is up, line protocol is up Hardware is i82558 ethernet, address is 0090.2724.fd0f IP address 127.0.0.1, subnet mask 255.255.255.255 MTU 1500 bytes, BW 10000 Kbit half duplex Lab 5-4 Cisco Secure PIX Firewall Advanced 2.1
Copyright 2002, Cisco Systems, Inc.
0 packets input, 0 bytes, 0 no buffer Received 0 broadcasts, 0 runts, 0 giants 0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort 0 packets output, 0 bytes, 0 underruns 0 output errors, 0 collisions, 0 interface resets 0 babbles, 0 late collisions, 0 deferred 0 lost carrier, 0 no carrier interface ethernet1 "inside" is up, line protocol is up Hardware is i82558 ethernet, address is 0090.2716.43dd IP address 127.0.0.1, subnet mask 255.255.255.255 MTU 1500 bytes, BW 100000 Kbit full duplex 184 packets input, 15043 bytes, 0 no buffer Received 179 broadcasts, 0 runts, 0 giants 0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort 0 packets output, 0 bytes, 0 underruns 0 output errors, 0 collisions, 0 interface resets 0 babbles, 0 late collisions, 0 deferred 0 lost carrier, 0 no carrier interface ethernet2 "dmz" is up, line protocol is up Hardware is i82558 ethernet, address is 0090.2725.060d IP address 127.0.0.1, subnet mask 255.255.255.255 MTU 1500 bytes, BW 10000 Kbit half duplex 0 packets input, 0 bytes, 0 no buffer Received 0 broadcasts, 0 runts, 0 giants 0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort 0 packets output, 0 bytes, 0 underruns 0 output errors, 0 collisions, 0 interface resets 0 babbles, 0 late collisions, 0 deferred 0 lost carrier, 0 no carrier interface ethernet3 "intf3" is administratively down, line protocol is down Hardware is i82558 ethernet, address is 0090.2716.43dc IP address 127.0.0.1, subnet mask 255.255.255.255 MTU 1500 bytes, BW 100000 Kbit full duplex 184 packets input, 15043 bytes, 0 no buffer Received 179 broadcasts, 0 runts, 0 giants 0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort 0 packets output, 0 bytes, 0 underruns 0 output errors, 0 collisions, 0 interface resets 0 babbles, 0 late collisions, 0 deferred 0 lost carrier, 0 no carrier interface ethernet4 "intf4" is administratively down, line protocol is down Hardware is i82558 ethernet, address is 0090.2716.43db IP address 127.0.0.1, subnet mask 255.255.255.255 MTU 1500 bytes, BW 100000 Kbit full duplex 184 packets input, 15043 bytes, 0 no buffer Received 179 broadcasts, 0 runts, 0 giants 0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort 0 packets output, 0 bytes, 0 underruns 0 output errors, 0 collisions, 0 interface resets 0 babbles, 0 late collisions, 0 deferred 0 lost carrier, 0 no carrier interface ethernet5 "intf5" is administratively down, line protocol is down Hardware is i82558 ethernet, address is 0090.2716.43da
Copyright 2002, Cisco Systems, Inc.
Basic Configuration of the Cisco PIX Firewall Lab 5-5
IP address 127.0.0.1, subnet mask 255.255.255.255 MTU 1500 bytes, BW 100000 Kbit full duplex 184 packets input, 15043 bytes, 0 no buffer Received 179 broadcasts, 0 runts, 0 giants 0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort 0 packets output, 0 bytes, 0 underruns 0 output errors, 0 collisions, 0 interface resets 0 babbles, 0 late collisions, 0 deferred 0 lost carrier, 0 no carrier
Step 4
Assign IP addresses to the inside, outside, and DMZ network interface cards. Insert your pod number wherever you see the letter P: pixP(config)# ip address outside 192.168.P.2 255.255.255.0 pixP(config)# ip address inside 10.0.P.1 255.255.255.0 pixP(config)# ip address dmz 172.16.P.1 255.255.255.0
(where P = pod number) Step 5
Ensure that the IP addresses are correctly configured and are associated with the proper network interface: pixP(config)# show ip address System IP Addresses: ip address outside 192.168.P.2 255.255.255.0 ip address inside 10.0.P.1 255.255.255.0 ip address dmz 172.16.P.1 255.255.255.0 ip address intf3 127.0.0.1 255.255.255.255 ip address intf4 127.0.0.1 255.255.255.255 ip address intf5 127.0.0.1 255.255.255.255 Current IP Addresses: ip address outside 192.168.P.2 255.255.255.0 ip address inside 10.0.P.1 255.255.255.0 ip address dmz 172.16.P.1 255.255.255.0 ip address intf3 0.0.0.0 0.0.0.0 ip address intf4 0.0.0.0 0.0.0.0 ip address intf5 0.0.0.0 0.0.0.0
Step 6
Write the configuration to the Flash memory: pixP(config)# write memory Building configuration... Cryptochecksum: d4d9ae69 9f7c734c babeef58 54b69c91
Lab 5-6 Cisco Secure PIX Firewall Advanced 2.1
Copyright 2002, Cisco Systems, Inc.
Task 3—Configure Global Addresses, NAT, and Routing for Inside and Outside Interfaces To configure a global address pool, NAT, and routing, complete the following steps: Step 1
Assign one pool of NIC-registered IP addresses for use by outbound connections: pixP(config)# global (outside) 1 192.168.P.20-192.168.P.254 netmask 255.255.255.0 pixP(config)# show global
global (outside) 1 192.168.P.20-192.168.P.254 netmask 255.255.255.0 (where P = pod number) Step 2
Configure the PIX Firewall to allow all inside hosts to use NAT for outbound access: pixP(config)# nat (inside) 1 0 0
Step 3
Display the currently configured NAT: pixP(config)# show nat nat (inside) 1 0.0.0.0 0.0.0.0 0 0
Step 4
Assign a default route: pixP(config)# route outside 0 0 192.168.P.1
Step 5
Display the currently configured routes: pixP(config)# show route outside 0.0.0.0 0.0.0.0 192.168.P.1 1 OTHER static inside 10.0.P.0 255.255.255.0 10.0.P.1 1 CONNECT static dmz 172.16.P.0 255.255.255.0 172.16.P.1 1 CONNECT static outside 192.168.P.0 255.255.255.0 192.168.P.2 1 CONNECT static
Step 6
Write the current configuration to Flash memory: pixP(config)# write memory
Step 7
Display a list of the most recently entered commands: Your history inputs should be similar to the following: pixP(config)# show history interface e0 100full interface e1 100full interface e2 100full show interface ip address outside 192.168.P.2 255.255.255.0 ip address inside 10.0.P.1 255.255.255.0 ip address dmz 172.16.P.1 255.255.255.0 show ip address write memory exit configure terminal global (outside) 1 192.168.P.20-192.168.P.254 netmask 255.255.255.0 show global nat (inside) 1 0 0 show nat
Copyright 2002, Cisco Systems, Inc.
Basic Configuration of the Cisco PIX Firewall Lab 5-7
route outside 0 0 192.168.P.1 show route write memory show history
Note
Step 8
You can use the up and down cursor keys on your keyboard to recall commands.
Write the current configuration to the terminal and verify that you have entered the previous commands correctly: pixP(config)# write terminal Building configuration... : Saved : PIX Version 5.3(1) nameif ethernet0 outside security0 nameif ethernet1 inside security100 nameif ethernet2 dmz security50 nameif ethernet3 intf3 security15 nameif ethernet4 intf4 security20 nameif ethernet5 intf5 security25 enable password 8Ry2YjIyt7RRXU24 encrypted passwd 2KFQnbNIdI.2KYOU encrypted hostname pix(P)l fixup protocol ftp 21 fixup protocol http 80 fixup protocol smtp 25 fixup protocol h323 1720 fixup protocol rsh 514 fixup protocol sqlnet 1521 fixup protocol sip 5060 names pager lines 24 no logging timestamp no logging standby no logging console no logging monitor no logging buffered no logging trap logging facility 20 logging queue 512 interface ethernet0 100full interface ethernet1 100full interface ethernet2 100full interface ethernet3 auto shutdown interface ethernet4 auto shutdown interface ethernet5 auto shutdown mtu outside 1500 mtu inside 1500 mtu dmz 1500 mtu intf3 1500 mtu intf4 1500 mtu intf5 1500
Lab 5-8 Cisco Secure PIX Firewall Advanced 2.1
Copyright 2002, Cisco Systems, Inc.
ip address outside 192.168.P.2 255.255.255.0 ip address inside 10.0.P.1 255.255.255.0 ip address dmz 172.16.P.1 255.255.255.0 ip address intf3 127.0.0.1 255.255.255.255 ip address intf4 127.0.0.1 255.255.255.255 ip address intf5 127.0.0.1 255.255.255.255 ip audit info action alarm ip audit attack action alarm no failover failover timeout 0:00:00 failover poll 15 failover ip address outside 0.0.0.0 failover ip address inside 0.0.0.0 failover ip address dmz 0.0.0.0 failover ip address intf3 0.0.0.0 failover ip address intf4 0.0.0.0 failover ip address intf5 0.0.0.0 arp timeout 14400 global (outside) 1 192.168.P.20-192.168.P.254 netmask 255.255.255.0 nat (inside) 1 0.0.0.0 0.0.0.0 0 0 route outside 0.0.0.0 0.0.0.0 192.168.P.1 1 timeout xlate 3:00:00 conn 1:00:00 half-closed 0:10:00 udp 0:02:00 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 si p 0:30:00 sip media 0:02:00 timeout uauth 0:05:00 absolute aaa-server TACACS+ protocol tacacs+ aaa-server RADIUS protocol radius no snmp-server location no snmp-server contact snmp-server community public no snmp-server enable traps floodguard enable no sysopt route dnat isakmp identity hostname telnet timeout 5 ssh timeout 5 terminal width 80 Cryptochecksum:9963c491006b1296815f3437947fab81 : end [OK]
Step 9
Test the operation of the globals and NAT statements you configured by originating connections through the PIX Firewall: 1. Open a web browser on the Windows NT server. 2. Use the web browser to access the super server at IP address 172.26.26.50 by entering http://172.26.26.50.
Step 10 Observe the translation table: pixP(config)# show xlate
Your display should appear similar to the following: global 192.168.P.20 Local 10.0.P.3
Copyright 2002, Cisco Systems, Inc.
Basic Configuration of the Cisco PIX Firewall Lab 5-9
A global address chosen from the low end of the global range has been mapped to your NT laptop.
Task 4—Test the Inside, Outside, and DMZ Interface Connectivity To test and troubleshoot interface connectivity using the PIX Firewall ping command, complete the following steps: Step 1
Ping the inside interface: pixP(config)# ping 10.0.P.1 10.0.P.1 response received —— 10ms 10.0.P.1 response received —— 10ms 10.0.P.1 response received —— 10ms
(where P = pod number) Step 2
Ping your inside host: pixP(config)# ping 10.0.P.3 10.0.P.3 response received —— 10ms 10.0.P.3 response received —— 10ms 10.0.P.3 response received —— 10ms
(where P = pod number) Step 3
Ping the outside interface: pixP(config)# ping 192.168.P.2 192.168.P.2 response received —— 10ms 192.168.P.2 response received —— 10ms 192.168.P.2 response received —— 10ms
(where P = pod number) Step 4
Ping your pod perimeter router: pixP(config)# ping 192.168.P.1 192.168.P.1 response received —— 10ms 192.168.P.1 response received —— 10ms 192.168.P.1 response received —— 10ms
(where P = pod number) Step 5
Ping the DMZ interface: pixP(config)# ping 172.16.P.1 172.16.P.1 response received —— 10ms 172.16.P.1 response received —— 10ms 172.16.P.1 response received —— 10ms
(where P = pod number) Step 6
Ping your bastion host: pixP(config)# ping 172.16.P.2 172.16.P.2 response received —— 10ms 172.16.P.2 response received —— 10ms 172.16.P.2 response received —— 10ms
Lab 5-10 Cisco Secure PIX Firewall Advanced 2.1
Copyright 2002, Cisco Systems, Inc.
(where P = pod number)
Completion Criteria You completed this lab exercise if you were able to ping the inside interface, outside interface, and DMZ interface.
Copyright 2002, Cisco Systems, Inc.
Basic Configuration of the Cisco PIX Firewall Lab 5-11
Lab 5-12 Cisco Secure PIX Firewall Advanced 2.1
Copyright 2002, Cisco Systems, Inc.
6
Cisco PIX Firewall Translations
Overview This chapter includes the following topics: ■
Objectives
■
Transport protocols
■
PIX Firewall translations
■
Access through the PIX Firewall
■
Other ways through the PIX Firewall
■
Summary
■
Lab exercise
Objectives This section lists the chapter’s objectives.
Objectives Upon completion of this chapter, you will be able to perform the following tasks: • Describe how the TCP and UDP protocols function within the PIX Firewall. • Describe how static and dynamic translations function. • Configure inbound and outbound access through the PIX Firewall. • Test and verify correct PIX Firewall operation.
Transport Protocols To gain a deeper understanding of how the Cisco PIX Firewall processes inbound and outbound transmissions, a brief review of the two primary transport protocols is warranted.
Sessions in an IP World In an IP world, a network session is a transaction between two end systems. It is carried out over two transport layer protocols: • TCP (Transmission Control Protocol) • UDP (User Datagram Protocol)
It is important to understand the transport protocols TCP and UDP to understand how the PIX Firewall operates. This section aids in understanding the TCP and UDP protocols. A network session is carried out over two transport layer protocols: ■
TCP, which is easy to inspect
■
UDP, which is difficult to inspect properly
Note
Copyright 2002, Cisco Systems, Inc.
In the context of this training, the term outbound means connections from a more trusted side of the PIX Firewall to a less trusted side of the PIX Firewall. The term inbound means connections from a less trusted side of the PIX Firewall to a more trusted side of the PIX Firewall.
TCP is a connection-oriented protocol. When a session from a more secure host inside the PIX Firewall is started, the PIX Firewall creates a log in the session state filter. The PIX Firewall is able to extract network sessions from the network flow and actively verify their validity in real time. This stateful filter maintains the parameters (or state) of each network connection and checks subsequent protocol units against its expectations. When TCP initiates a session with the PIX Firewall, the PIX Firewall records the network flow and looks for an acknowledgement from the device with which it is trying to initiate communications. The PIX Firewall then allows traffic to flow between the connections based on the three-way handshake.
6-4
Cisco Secure PIX Firewall Advanced 2.1
Copyright 2002, Cisco Systems, Inc.
TCP Initialization—Inside to Outside Private network The PIX Firewall checks for Source addr Destination addr Source port
a translation slot. If one is not found, it creates one after verifying NAT, global, access control, and authentication or authorization, if any. If OK, a connection is created.
172.30.0.50 172.30.0.50
The PIX Firewall follows the Adaptive Security Algorithm: • (Src IP, Src Port, Dest IP, Dest Port ) check • Sequence number check • Translation check If the code bit is not syn-ack, PIX drops the packet.
When a TCP session is established over the PIX Firewall, the following happens: 1. The first IP packet from an inside host causes the generation of a translation slot. The embedded TCP information is then used to create a connection slot in the PIX Firewall. 2. The connection slot is marked as embryonic (not established yet). 3. The PIX Firewall randomizes the initial sequence number of the connection, stores the delta value, and forwards the packet onto the outgoing interface. 4. The PIX Firewall now expects a SYN/ACK packet from the destination host. Then the PIX Firewall matches the received packet against the connection slot, computes the sequencing information, and forwards the return packet to the inside host.
Copyright 2002, Cisco Systems, Inc.
Cisco PIX Firewall Translations
6-5
TCP Initialization—Inside to Outside (cont.) Private network 10.0.0.3 10.0.0.3
Source addr Destination addr
172.30.0.50 172.30.0.50 1026 1026
Source port Destination port
23 23
Initial sequence #
49092 49092
Ack
92514 92514
Flag
Ack Ack
#5
Public network Reset the embryonic counter for this client. It then increments the connection counter for this host.
5. The inside host completes the connection setup (the three-way handshake) with an ACK. 6. The connection slot on the PIX Firewall is marked as connected (activeestablished) and data is transmitted. The embryonic counter is then reset for this connection.
6-6
Cisco Secure PIX Firewall Advanced 2.1
Copyright 2002, Cisco Systems, Inc.
UDP
• Connectionless protocol • Efficient protocol for some services • Resourceful but difficult to secure
UDP is “connectionless.” The PIX Firewall must take other measures to ensure its security. Applications using UDP are difficult to secure properly because there is no handshaking or sequencing. It is difficult to determine the current state of a UDP transaction (opening, established, and closing). It is also difficult to maintain the state of a session, as it has no clear beginning, flow state, or end. However, the PIX Firewall creates a UDP connection slot when a UDP packet is sent from a more secure to a less secure interface. All subsequent returned UDP packets matching the connection slot are forwarded to the inside network.
Copyright 2002, Cisco Systems, Inc.
Cisco PIX Firewall Translations
6-7
UDP (cont.) Private network The PIX Firewall checks for Source addr Destination addr
10.0.0.3 10.0.0.3 172.30.0.50 172.30.0.50
Source port
1028 1028
Destination port
45000 45000
a translation slot. If one is not found, it creates one after verifying NAT, global, access control, and authentication or authorization, if any. If OK, a connection is created.
Public network 192.168.0.20 192.168.0.20 172.30.0.50 172.30.0.50 1028 1028 45000 45000
PIX Firewall
#1
#2
10.0.0.3
172.30.0.50 All UDP responses arrive from outside and within UDP user-configurable timeout. (default=2 minutes)
When the UDP connection slot is idle for more than the configured idle time, it is deleted from the connection table. The following are some UDP characteristics: ■
UDP is an unreliable but efficient transport protocol.
■
Spoofing UDP packets is very easy (no handshaking or sequencing). As there is no state machine, the initiator of the transaction or the current state usually cannot be determined.
■
UDP has no delivery guarantees.
■
There is no connection setup and termination (application implements a state machine).
■
UDP has no congestion management or avoidance.
Services that use UDP can be generally divided into two categories:
6-8
■
Request-reply (ping-pong) services (DNS)
■
Flow services (video, VoIP, NFS)
Cisco Secure PIX Firewall Advanced 2.1
Copyright 2002, Cisco Systems, Inc.
PIX Firewall Translations This section describes the translation process in the PIX Firewall. There are two types of translations: static and dynamic.
Static Translations Internet Perimeter router 192.168.0.1 192.168.0.2 PIX Firewall 10.0.0.1 10.0.0.10 DNS Server
pixfirewall(config)# static (inside, outside) 192.168.0.18 10.0.0.10 • Packet from 10.0.0.10 has source address of 192.168.0.18 • Permanently maps a single IP address • Recommended for internal service hosts like a DNS server
Use static translations when you want an inside host to always appear with a fixed address on the PIX Firewall’s global network. Static translations are used to map an inside host address to an outside, global address: ■
Use the static command for outbound connections to ensure packets leaving an inside host are always mapped to a specific global IP address (for example, an inside DNS or SMTP host).
■
Use the static command alone for outbound connections that must be mapped to the same global IP address.
The following information can help you determine when to use static translations in the PIX Firewall: ■
Do not create statics with overlapping IP addresses. Each IP address should be unique.
■
Statics take precedence over nat and global command pairs.
■
If a global IP address will be used for port address translation (PAT), do not use the same global IP address for a static translation.
Dynamic translations are used for local hosts and their outbound connections, and hide the host address from the Internet. With dynamic translations, you must first define which hosts are eligible for translation with the nat command, and then define the address pool with the global command. The pool for address allocation is chosen on the outgoing interface based on the nat_id selected with the nat command. The nat command works with the global command to enable NAT. The nat command associates a network with a pool of global IP addresses. It lets you specify lists of inside hosts that can use the PIX Firewall for address translation. In the figure above the global pool of addresses assigned by the global command is 192.168.0.20 through 192.168.0.254, enabling up to 235 individual IP addresses.
6-10
Cisco Secure PIX Firewall Advanced 2.1
Copyright 2002, Cisco Systems, Inc.
Connections vs. Translations
• Translations—xlate – IP address to IP address translation – 65,536 translations supported • Connections—conns – TCP or UDP sessions
Translations are at the IP layer and connections are at the transport layer (TCP specifically). Connections are subsets of translations. You can have many connections open under one translation. You can specify up to 256 global pools of IP addresses. The maximum is one class B network worth of IP addresses, or 255 class C addresses—that is, 65,535 addresses.
Copyright 2002, Cisco Systems, Inc.
Cisco PIX Firewall Translations
6-11
xlate Command pixfirewall(config)#
clear xlate [global_ip [local_ip]]
• The clear xlate command clears the contents of the translation slots.
The xlate command enables you to show or clear the contents of the translation (xlate) slots. Translation slots can remain indefinitely after key changes have been made. Always use clear xlate or reload after adding, changing, or removing alias, conduit, global, nat, route, or static commands in your configuration. The syntax for the xlate command is as follows: clear xlate [global_ip [local_ip]] show xlate [global_ip [local_ip]] global_ip
The registered IP address to be used from the global pool.
local_ip
The local IP address from the inside network.
Note
6-12
See the Configuration Guide for the PIX Firewall for a description of the xlate and conn fields displayed with the show xlate command.
Cisco Secure PIX Firewall Advanced 2.1
Copyright 2002, Cisco Systems, Inc.
Access Through the PIX Firewall This section explains how to gain access through the PIX Firewall.
Only Two Ways Through the PIX Firewall
• Valid user request – Inside to outside communications • Pre-defined static and conduit – Outside to inside communications – Defines addresses, ports, and applications
There are only two ways to gain access through the PIX Firewall: ■
Valid user request—All inside-to-outside-originated sessions first dynamically populate the translation table. When an outside server responds to the request, the PIX Firewall checks the translation table to see if a translation slot exists for that particular request. If it exists, the PIX Firewall allows the session to continue through. After the session is terminated, the translation slot is deleted. After a session is established for UDP requests, a configurable timer is set. The session finishes based on the time allowed for the UDP session and then closes the translation slot.
■
Copyright 2002, Cisco Systems, Inc.
Predefined statics and conduits—Used for outside to inside communication. A pre-defined static translation is entered using an address or range of addresses from the global pool. A conduit is entered that defines the address, group of addresses, TCP/UDP port or range of ports, and who and what applications are allowed to flow through the PIX Firewall.
Although most connections occur from an interface with a high security level to an interface with a low security level, there are times when you will want to allow connections from an interface with a lower security level to an interface with a higher security level. To do this, use the static and conduit commands. The static command creates static mapping between an inside IP address and a global IP address. Using the static command enables you to set a permanent global IP address for a particular inside IP address. This creates an entrance for the specified interfaces with the lower security level into the specified interface with a higher security level. After creating a static mapping between an inside IP address and a global IP address by using the static command, the connection from the outside interface to the inside interface is still blocked by the PIX Firewall’s Adaptive Security Algorithm (ASA). The conduit command is used to allow traffic to flow between interfaces. The conduit command creates the exceptions to the PIX Firewall’s ASA. Note
6-14
When you use a static command, you must also use a conduit command. The static command makes the mapping, and the conduit command lets users access the static mapping.
Cisco Secure PIX Firewall Advanced 2.1
Copyright 2002, Cisco Systems, Inc.
static Command pixfirewall(config)#
static [(internal_if_name, external_if_name)] global_ip local_ip [netmask network_mask][max_conns[em_limit]][norandomseq] • Maps a local IP address to a global IP address
pixfirewall(config)# static (inside,outside) 192.168.0.10 10.0.0.3 netmask 255.255.255.255 0 1000 • Packet sent from 10.0.0.3 has a source address of 192.168.0.10 • Permanently maps a single IP address • Recommended for internal service hosts
The static command creates a permanent mapping (called a static translation slot or xlate) between a local IP address and a global IP address. For outbound connections, use static to specify an address in the pool of global addresses that is always used for translation between the local host and the global address. For inbound connections, use static with the conduit command to identify addresses visible on the external network. The static command creates a permanent mapping (static translation slot) between a local IP address and a NIC-registered IP address. In the example above, when a packet from the client station 10.0.0.3 goes out through the PIX Firewall, it will have the source IP address of 192.168.0.10. Connections to 192.168.0.10 are unlimited, but embryonic connections are limited to 1000. The syntax for the static command is as follows: static [(internal_if_name, external_if_name)] global_ip local_ip [netmask network_ mask] [max_conns[em_limit]][norandomseq] internal_if_name
The internal network interface name.
external_if_name
The external network interface name.
global_ip
The global IP address used for redirection.
local_ip
The local IP address from the inside network.
netmask
Reserve word required before specifying the network mask.
mask
The network mask pertains to both global_ip and local_ip.
max_conns
The maximum number of connections permitted through the static at the same time.
emb_limit
The embryonic connection limit. An embryonic connection is one that has started but not yet completed. Set this limit to prevent attack by a flood of embryonic connections. The default is 0, which
Copyright 2002, Cisco Systems, Inc.
Cisco PIX Firewall Translations
6-15
means unlimited connections. norandomseq
Do not randomize the TCP/IP packet's sequence number. Only use this option if another inline firewall is also randomizing sequence numbers and the result is scrambling the data. Use of this option opens a security hole in the PIX Firewall.
The security level for each interface is set by the nameif command. The static command allows traffic to originate from an interface with a lower security value through the PIX Firewall to an interface with a higher security value. For example, a static and conduit must be configured to allow incoming sessions from the outside interface to the DMZ interface, or from the outside interface to the inside interface. Statics take precedence over nat and global command pairs. Use the show static command to view static statements in the configuration. In software versions 5.2 and higher, for all inbound traffic, the PIX Firewall denies translations for destination IP addresses identified as network address or broadcast addresses. It uses the global IP and mask from a static command statement to differentiate regular IP addresses from network or broadcast addresses. If a global IP address is a valid network address with a matching network mask, then the PIX Firewall disallows the xlate for network or broadcast IP addresses with inbound packet.
6-16
Cisco Secure PIX Firewall Advanced 2.1
Copyright 2002, Cisco Systems, Inc.
conduit Command pixfirewall(config) #
conduit permit|deny protocol global_ip global_mask [operator port[port]] foreign_ip foreign_mask[operator port[port]] • A conduit maps specific IP address and TCP/UDP connection from the outside host to the inside host Perimeter router 192.168.0.1
pixfirewall(config)# conduit permit tcp host 192.168.0.10 eq ftp any
The conduit command permits or denies connections from outside the PIX Firewall to access TCP/UDP services on hosts inside the network. The conduit statement creates an exception to the PIX Firewall ASA by permitting connections from one PIX Firewall network interface to access hosts on another. To allow connections from a lower security interface to a higher security interface, the conduit command must be used. The conduit command is what actually creates an exception to the standard PIX Firewall ASA. The example above allows FTP services via the IP address 192.168.0.10 to the inside host 10.0.0.3 from the outside. The global_ip and global_mask define the IP address or addresses where connections are being permitted. You can have up to 8000 conduits, and can remove a conduit with the no conduit command. The syntax for the conduit command is as follows: conduit permit | deny protocol global_ip global_mask [operator port [port]] foreign_ip foreign_mask [operator port [port]] permit
Permits access if the conditions are met.
deny
Denies access if the conditions are met.
protocol
Specifies the transport protocol for the connection. Possible literal values are eigrp, gre, icmp, igmp, grp, ip, ipinip, nos, ospf, tcp, udp, or an integer in the range 0 to 255 representing an IP protocol number. Use ip to specify all transport protocols. You can view valid protocol numbers online at: //www.isi.edu/innotes/iana/assignments/protocol-numbers.
icmp
Permit or deny ICMP access to one or more global IP addresses. Specify the ICMP type in the icmp_type variable, or omit to specify all ICMP types.
Copyright 2002, Cisco Systems, Inc.
Cisco PIX Firewall Translations
6-17
global_ip
A global IP address previously defined by a global or static command. You can use any IP address if the global_ip and global_mask are 0.0.0.0 0.0.0.0. The any command applies the permit or deny to the global addresses on all interfaces. If global_ip is a host, you can omit global_mask by specifying the host command before global_ip.
operator
A comparison operand that enables you to specify a port or a port range. Possible values are: eq, lt, any, gt, neq, range. Use the no operator and port to indicate all ports.
global_mask
Network mask of global_ip. The global_mask is a 32-bit, 4-part dotted decimal; for example, 255.255.255.255. Use zeros to indicate bit positions to be ignored. Use subnetting if required. If you use 0 for global_ip, use 0 for the global_mask; otherwise, enter the global_mask appropriate to global_ip.
port
Service you permit to be used while accessing global_ip. Specify services by the port that handles it, such as 25 for SMTP, 80 for HTTP, and so on. 0 means any port. The port values are defined in RFC 1700. Permitted literal names are dns, esp, ftp, h323, http, ident, nntp, ntp, pop2, pop3, pptp, rpc, smtp, snmp, snmptrap, sqlnet, tcp, telnet, tftp, and udp. Note that you can specify literals in port ranges; for example, ftp-h323. You can also specify numbers.
foreign_ip
An external IP address (host or network) that can access the global_ip. You can specify 0.0.0.0 or 0 for any host. If both the foreign_ip and foreign_mask are 0.0.0.0 0.0.0.0, you can use the shorthand any command, which applies to all interfaces. If foreign_ip is a host, you can omit foreign_mask by specifying the host command before foreign_ip.
foreign_mask
Network mask of foreign_ip. The foreign_mask is a 32-bit, 4-part dotted decimal; for example, 255.255.255.255. Use zeros in a part to indicate bit positions to be ignored. Use subnetting if required. If you use 0 for foreign_ip, use 0 for the foreign_mask; otherwise, enter the foreign_mask appropriate to foreign_ip.
operator
A comparison operand that enables you to specify a port or a port range. Possible values are: eq, lt, any, gt, neq, range. Use the no operator and port to indicate all ports.
port
Service you permit to be used while accessing global_ip or foreign_ip. Specify services by the port that handles it, such as 25 for SMTP, 80 for HTTP, and so on. You can specify ports by either a literal name or as a number in the range of 0 to 65535. You can specify all ports by not specifying a port value, for example, conduit deny tcp any any. This command is the default condition for the conduit command in that all ports are denied until explicitly permitted. You can view valid port numbers online at the following: www.isi.edu/in-notes/iana/assignments/port-numbers
Note
6-18
If you want internal users to be able to ping external hosts, you must create an ICMP conduit for echo reply; for example, to give ping access to all hosts, use the conduit permit icmp any any command. However, this may cause a lot of traffic on busy networks.
Cisco Secure PIX Firewall Advanced 2.1
Copyright 2002, Cisco Systems, Inc.
Other Ways Through the PIX Firewall This section describes other ways through the PIX Firewall, such as Port Address Translation (PAT) and the xlate command.
Port Address Translation PAT PAT Global Global 192.168.0.15
PAT is a combination of an IP address and a source port number, which creates a unique session. PAT uses the same IP address for all packets but a different unique source port greater than 1024. PAT provides the following advantages: ■
PAT and Network Address Translation (NAT) can be used together.
■
The PAT address can be different from the outside interface address.
■
Provides for IP address expansion.
■
One outside IP address used for up to 64,000 inside hosts.
■
Maps port numbers to single IP address.
■
PAT provides security by hiding the inside source address by using single IP address from the PIX Firewall.
In the figure above, two clients are requesting connectivity to the Internet. The PIX Firewall checks security rules to verify the security levels, and then replaces the source IP address with the PAT IP address. To maintain accountability, the source port address is changed to a unique number greater than 1024.
Copyright 2002, Cisco Systems, Inc.
Cisco PIX Firewall Translations
6-19
PAT Example pixfirewall(config)# ip address (inside) 10.0.0.1 255.255.255.0 pixfirewall(config)# ip address (outside) 192.168.0.2 255.255.255.0 pixfirewall(config)# route (outside) 0.0.0.0 0.0.0.0 192.168.0.1
Perimeter router
pixfirewall(config)# global (outside) 1 192.168.0.9 netmask 255.255.255.0
• Source port changed to a unique number greater than 1024
www.cisco.com
CSPFA 2.1—6-22
The PIX Firewall PAT feature expands a company’s address pool: ■
One outside IP address is used for approximately 4,000 inside hosts (practical limit, theoretical limit is greater than 64,000).
■
Pat maps TCP port numbers to a single IP address.
■
PAT provides security by hiding the inside source address by using a single IP address from the PIX.
■
PAT can be used with NAT.
■
A PAT address can be a virtual address, different from the outside address. Do not use PAT when running multimedia applications through the PIX Firewall. Multimedia applications need access to specific ports and can conflict with port mappings provided by PAT.
In this example of PAT, XYZ Company has only four registered IP addresses. One address is taken by the perimeter router, one by the PIX Firewall, and one by the bastion host. The example configuration is as follows: ip address (inside) 10.0.0.1 255.255.255.0 ip address (outside) 192.168.0.2 255.255.255.0 route (outside) 0.0.0.0 0.0.0.0 192.168.0.1
IP addresses are assigned to the internal and external interfaces. A single registered IP address is put into the global pool, and is shared by all outgoing access for network 10.0.0.0: global (outside) 1 192.168.0.9 netmask 255.255.255.0 nat (inside) 1 10.0.0.0 255.255.255.0
6-20
Cisco Secure PIX Firewall Advanced 2.1
Copyright 2002, Cisco Systems, Inc.
PAT Using Outside Interface Address pixfirewall(config)# ip address (inside) 10.0.0.1 255.255.255.0 pixfirewall(config)# ip address (outside) 192.168.0.2 255.255.255.0 Perimeter router
You can use the IP address of the outside interface as the PAT address by using the interface option of the global command. This is important for configuring DHCP, allowing for the DHCP retrieved address to be used for PAT. DHCP support will is discussed later in the course. In the figure, source addresses for hosts on network 10.0.0.0 are translated to 192.168.0.2 for outgoing access, and the source port is changed to a unique number greater than 1024. Note
Copyright 2002, Cisco Systems, Inc.
When PAT is enabled on an interface, there should be no loss of TCP, UDP, and ICMP services. These services allow for termination at the PIX Firewall unit's outside interface.
Cisco PIX Firewall Translations
6-21
Mapping Subnets to PAT Addresses pixfirewall(config)# pixfirewall(config)# pixfirewall(config)# pixfirewall(config)# 255.255.255.0 pixfirewall(config)# 255.255.255.0 pixfirewall(config)# pixfirewall(config)#
Perimeter router 192.168.0.1
ip address (inside) 10.0.0.1 255.255.255.0 ip address (outside) 192.168.0.2 255.255.255.0 route (outside) 0.0.0.0 0.0.0.0 192.168.0.1 global (outside) 1 192.168.0.8 netmask global (outside) 2 192.168.0.9 netmask nat (inside) 1 10.0.1.0 255.255.255.0 nat (inside) 2 10.0.2.0 255.255.255.0
• The source port is changed to a unique number greater than 1024.
www.cisco.com
CSPFA 2.1—6-24
With software versions 5.2 and higher, you can specify multiple PATs to track usage among different subnets. In the figure, network 10.0.1.0 and network 10.0.2.0 are mapped to different PAT addresses. This is done by using a separate nat and global command pair for each network. Outbound sessions from hosts on internal network 10.0.1.0 will appear to originate from address 192.168.0.8, and outbound sessions from hosts on internal network 10.0.2.0 will appear to originate from address 192.168.0.9.
With software versions 5.2 and higher, you can also back up your PAT address by configuring multiple globals with the same nat_id. In the figure, address 192.168.0.9 will be used for all outbound connections from network 10.0.1.0 when the port pool from 192.168.0.8 is at maximum capacity.
Copyright 2002, Cisco Systems, Inc.
Cisco PIX Firewall Translations
6-23
Augmenting a Global Pool with PAT
Perimeter router 192.168.0.1
pixfirewall(config)# ip address (inside) 10.0.0.1 255.255.255.0 pixfirewall(config)# ip address (outside) 192.168.0.2 255.255.255.0 pixfirewall(config)# route (outside) 0.0.0.0 0.0.0.0 192.168.0.1 pixfirewall(config)# global (outside) 1 192.168.0.20-192.168.0.254 netmask 255.255.255.0 pixfirewall(config)# global (outside) 1 192.168.0.19 netmask 255.255.255.0 pixfirewall(config)# nat (inside) 1 10.0.0.0 255.255.255.0 192.168.0.2
PIX Firewall 10.0.0.1 Engineering 10.0.1.0
• When hosts on the 10.0.0.0 network access the outside network through the firewall, they are assigned public addresses from the 192.168.0.20192.168.0.254 range.
Bastion host 172.16.0.2 Sales
• When the addresses from the global pool are exhausted, PAT begins.
You can augment a pool of global addresses with PAT. When all IP addresses from the global pool are in use, the PIX Firewall begins PAT using the single IP address shown in the second global command. In the figure, hosts on the 10.0.0.0 internal network are assigned addresses from the global pool 192.168.0.20−192.168.0.254 as they initiate outbound connections. When the addresses from the global pool are exhausted, packets from all hosts on network 10.0.0.0 will appear to have originated from 192.168.
6-24
Cisco Secure PIX Firewall Advanced 2.1
Copyright 2002, Cisco Systems, Inc.
Port Redirection pixfirewall(config)#
static [(internal_if_name, external_if_name)] {tcp|udp}{global_ip|interface}global-port local_ip local-port[netmask mask][max_conns[emb_limit [norandomseq]]] • Allows outside users to connect to a particular IP address or port and have the PIX redirect traffic to the appropriate inside server.
pixfirewall(config)# static (inside,outside) tcp 192.168.0.15 ftp 10.0.0.3 ftp netmask 255.255.255.255 0 0 • External users direct FTP requests to unique IP address 192.168.0.15. The PIX Firewall redirects the request to 10.0.0.3.
With software versions 6.0 and higher, the PIX Firewall provides static PAT capability. This feature allows outside users to connect to a particular IP address or port and have the PIX Firewall redirect traffic to the appropriate inside server. This capability can be used to send multiple inbound TCP or UDP services to different internal hosts through a single global address. The shared global address can be a unique address or a shared outbound PAT address, or it can be shared with the external interface. The static command was modified in software version 6.0 to accommodate port redirection. If the tcp or udp keyword is specified in the static command, a static UDP or TCP port redirection is configured. If the interface keyword is specified, the outside interface address is taken to be the global IP address. Note
A conduit or access-list command statement must be configured in addition to the static command to enable an inbound connection.
The syntax for the static command is as follows: static [(internal_if_name, external_if_name)]{tcp|udp} {global_ip| interface} global-port local_ip local-port [netmask mask] [max_conns[emb_limit]][norandomseq] internal_if_name
The internal network interface name.
external_if_name
The external network interface name.
tcp
Specifies TCP port redirection.
udp
Specifies UDP port redirection.
global_ip
The global IP address used for redirection.
interface
The outside interface address taken to be the global address.
global-port
Global TCP or UDP port for port redirection.
local_ip
The local IP address from the inside network.
Copyright 2002, Cisco Systems, Inc.
Cisco PIX Firewall Translations
6-25
6-26
local-port
Local TCP or UDP port for port redirection.
netmask
Reserve word required before specifying the network mask.
The external user directs a Telnet request to the PIX Firewall’s outside IP address, 192.168.0.2. The PIX Firewall redirects the request to host 10.0.0.4. The external user directs an HTTP port 8080 request to the PIX Firewall PAT address, 192.168.0.9. The PIX Firewall redirects this request to host 172.16.0.2 port 80.
In the example above, the external user directs a Telnet request to the PIX outside IP address 192.168.0.2. The PIX Firewall redirects the request to host 10.0.0.4. The external user then directs an HTTP port 8080 request to PAT address 192.168.0.9. The PIX Firewall redirects this request to host 172.16.0.2 port 80. The following is a partial configuration for the PIX Firewall in the example: access-list 101 permit tcp any host 192.168.0.2 eq telnet access-list 101 permit tcp any host 192.168.0.9 eq 8080 access-group 101 in interface outside global (outside) 1 192.168.0.9 nat (inside) 1 0.0.0.0 0.0.0.0 0 0 static (inside,outside)tcp interface telnet 10.0.0.4 telnet netmask 255.255.255.255 0 0 static (inside,outside) tcp 192.168.0.9 8080 172.16.0.2 www netmask 255.255.255.255 0 0
Copyright 2002, Cisco Systems, Inc.
Cisco PIX Firewall Translations
6-27
No Network Address Translation (nat 0) pixfirewall(config)# nat (inside) 0 192.168.0.9 255.255.255.255 pixfirewall(config)# show nat nat 0 192.168.0.9 will be non-translated
• nat 0 ensures that 192.168.0.9 is not translated. • ASA remains in effect with nat 0.
Another feature to control outbound connections is the ability to control which internal IP addresses are visible on the outside. The nat 0 command lets you disable address translation so that inside IP addresses are visible on the outside without address translation. Use this feature when you have NIC-registered IP addresses on your inside network that you want to be accessible on the outside network. Use of nat 0 depends on your security policy. If your policy allows for internal clients to have their IP addresses exposed to the Internet, then nat 0 is the process to provide that service. In the figure above, the address 192.168.0.9 is not translated. When you enter nat (inside) 0 192.168.0.9 255.255.255.255, the PIX Firewall displays the following message: nat 0 192.168.0.9 will be non-translated.
6-28
Cisco Secure PIX Firewall Advanced 2.1
Copyright 2002, Cisco Systems, Inc.
Summary This section summarizes the tasks you learned to complete in this chapter.
Summary • The PIX Firewall manages the TCP and UDP protocols through the use of a translation table. • Static translations assign a permanent IP address to an inside host. Mapping between local and global addresses is done dynamically with the nat command. • The PIX Firewall understands the performance characteristics of the NetBIOS protocol and is able to translate the source address in the IP header as well as the source address in the payload.
• Dynamic translations use NAT for local clients and their outbound connections and hides the client address from others on the Internet. • The static and conduit commands are used to allow inbound communication through the PIX Firewall. • The PIX Firewall supports PAT, port redirection, and no network address translation (nat 0).
Directions Your task in this exercise is to configure the PIX Firewall to work with a perimeter router to protect the campus network from intruders. One PIX Firewall Copyright 2002, Cisco Systems, Inc.
Cisco PIX Firewall Translations Lab 6-1
is available for each pod group of two students. Work with your pod members to perform the following steps in this lab exercise: ■
Configure global addresses and NAT for inside and outside interfaces.
■
Test globals and NAT configuration.
■
Configure a static and conduit from the PIX Firewall outside interface to the Windows NT server inside the network.
■
Test and verify correct PIX Firewall operation.
■
Configure the PIX Firewall third interface.
■
Test access to the third interface.
Task 1—Configure Global Addresses and NAT for Inside and Outside Interfaces Enter the following commands to configure PIX Firewall global address pools and routing: Step 1
Remove NAT: pixP(config)# no nat (inside) 1 0 0
Step 2
Configure NAT for the internal network’s range of IP addresses: pixP(config)# nat (inside) 1 10.0.P.0 255.255.255.0 0 0
Step 3
Display currently configured NAT: pixP(config)# show nat nat (inside)1 10.0.P.0 255.255.255.0 0 0
Step 4
Allow ICMP and ping packets through the PIX Firewall: pixP(config)# conduit permit icmp any any
Step 5
Write the current configuration to Flash memory: pixP(config)# write memory
Step 6
Write the current configuration to the terminal: pixP(config)# write terminal
Step 7
Use the clear xlate command after configuring with the nat and global commands to make the global IP addresses available in the translation table: pixP(config)# clear xlate pixP(config)# show xlate
Task 2—Test Globals and NAT Configuration To test the globals and NAT configuration, you must complete the following: Step 1
From your Windows command line, ping the perimeter router. C:\> ping 192.168.P.1
Step 2
Test the operation of the global and NAT you configured by originating connections through the PIX Firewall.
Lab 6-2 Cisco Secure PIX Firewall Advanced 2.1
Copyright 2002, Cisco Systems, Inc.
1. Open a web browser on the Windows NT server. 2. Use the web browser to access the Super Server at IP address 172.26.26.50 by entering http://172.26.26.50. Step 3
Observe the translation table with the show xlate command. pixP(config)# show xlate
Your display should appear similar to the following: Global 192.168.P.20 Local 10.0.P.3
Note that a global address chosen from the low end of the global range has been mapped to your NT laptop.
Task 3—Configure a Static and Conduit from the PIX Firewall Outside Interface to the Windows NT Server Inside the Network Configure a static translation so that traffic originated from the internal Windows NT server always has the same source address on the outside interface of the PIX Firewall. Test the static and conduit by pinging the Windows NT server from the perimeter router. In a production environment, you should remove the conduit permit icmp any any command to prevent a potential security breach. Use the following commands: Step 1
Create a static translation from the outside PIX Firewall interface to the internal host, and create a conduit to allow web connections from the outside to your NT server on the inside: pixP(config)# static (inside,outside) 192.168.P.10 10.0.P.3 pixP(config)# conduit permit tcp host 192.168.P.10 eq www any
(where P = your pod number) Step 2
Turn on ICMP monitoring at the PIX Firewall: pixP(config)# debug icmp trace ICMP trace on Warning: this may cause problems on busy networks
Step 3
Clear the translation table: pixP(config)# clear xlate
Step 4
Ping the perimeter router from your Windows NT server to test the translation. Observe the source and destination of the packets at the console of the PIX Firewall. C:\> ping 192.168.P.1
(where P = pod number) Note the example display for pixP: Outbound Inbound Outbound Inbound Outbound Inbound Copyright 2002, Cisco Systems, Inc.
Observe the source, destination, and translated addresses on the PIX Firewall console. Step 5
Ping a peer inside host from your inside host as allowed by the conduit via the static: C:\> ping 192.168.Q.10
(where Q = peer pod number) Step 6
Test web access to another pod’s inside host as allowed by the static and conduit configured in this task. 1. Open a web browser on the Windows NT server. 2. Use the web browser to access the inside host of another pod by entering http://192.168.Q.10.
Step 7
Turn off debug: pixP(config)#no debug icmp trace
Example Configuration Your configuration may look as follows at this point: pixP(config)# write terminal Building configuration... : Saved : PIX Version 5.3(1) nameif ethernet0 outside security0 nameif ethernet1 inside security100 nameif ethernet2 dmz security50 nameif ethernet3 intf3 security15 nameif ethernet4 intf4 security20 nameif ethernet5 intf5 security25 enable password 6RD5.96v/eXN3kta encrypted passwd 2KFQnbNIdI.2KYOU encrypted hostname pixP fixup protocol ftp 21 fixup protocol http 80 fixup protocol smtp 25 fixup protocol h323 1720 fixup protocol rsh 514 fixup protocol sqlnet 1521 fixup protocol sip 5060 names pager lines 24 no logging timestamp no logging console no logging monitor no logging buffered no logging trap logging facility 20 Lab 6-4 Cisco Secure PIX Firewall Advanced 2.1
Copyright 2002, Cisco Systems, Inc.
interface ethernet0 100full interface ethernet1 100full interface ethernet2 100full interface ethernet3 auto shutdown interface ethernet4 auto shutdown interface ethernet5 auto shutdown mtu outside 1500 mtu inside 1500 mtu dmz 1500 mtu intf3 1500 mtu intf4 1500 mtu intf5 1500 ip address outside 192.168.P.2 255.255.255.0 ip address inside 10.0.P.1 255.255.255.0 ip address dmz 172.16.P.1 255.255.255.0 ip address intf3 127.0.0.1 255.255.255.255 ip address intf4 127.0.0.1 255.255.255.255 ip address intf5 127.0.0.1 255.255.255.255 ip audit info action alarm ip audit attack action alarm no failover failover poll 15 failover timeout 0:00:00 failover ip address outside 0.0.0.0 failover ip address inside 0.0.0.0 failover ip address dmz 0.0.0.0 arp timeout 14400 global (outside) 1 192.168.P.20-192.168.P.254 netmask 255.255.255.0 nat (inside) 1 10.0.P.0 255.255.255.0 0 0 static (inside,outside) 192.168.P.10 10.0.P.3 netmask 255.255.255.255 0 0 conduit permit icmp any any conduit permit tcp host 192.168.P.10 eq www any route outside 0.0.0.0 0.0.0.0 192.168.P.1 1 timeout xlate 3:00:00 conn 1:00:00 half-closed 0:10:00 udp 0:02:00 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 si p 0:30:00 sip media 0:02:00 timeout uauth 0:05:00 absolute aaa-server TACACS+ protocol tacacs+ aaa-server RADIUS protocol radius no snmp-server location no snmp-server contact snmp-server community public no snmp-server enable traps floodguard enable no sysopt route dnat isakmp identity hostname telnet timeout 5 ssh timeout 5 terminal width 80 Cryptochecksum:9963c491006b1296815f3437947fab81 : end [OK OK] OK
Copyright 2002, Cisco Systems, Inc.
Cisco PIX Firewall Translations Lab 6-5
Lab 6-6 Cisco Secure PIX Firewall Advanced 2.1
Copyright 2002, Cisco Systems, Inc.
7
Configuring Multiple Interfaces
Overview This chapter includes the following topics: ■
Objectives
■
Configuring additional interfaces
■
Summary
■
Lab exercise
Objectives This section lists the chapter’s objectives.
Objectives
Upon completion of this chapter, you will be able to perform the following tasks: • Configure three interfaces on the PIX Firewall. • Configure four interfaces on the PIX Firewall.
Configuring Additional Interfaces This section describes how to configure multiple interfaces on the Cisco Secure PIX Firewall.
Additional Interface Support • Supports up to eight additional interfaces e6
e0 e5 e4
e7 e3 e8
e2 e9
e1
• Increases the security of publicly available services • Easily interconnects multiple extranet or partner networks • Easily configured with standard PIX Firewall commands
The PIX Firewall supports up to eight additional perimeter interfaces for platform extensibility and security policy enforcement on publicly accessible services. The multiple perimeter interfaces enable the PIX Firewall to protect publicly accessible web, mail, and DNS servers on the Demilitarized zone (DMZ). Webbased and traditional Electronic Data Interchange (EDI) applications that link vendors and customers are also more secure and scalable when implemented using a physically separate network. As the trend toward building these extranet and partnernet applications accelerates, the PIX Firewall is already prepared to accommodate them.
When configuring multiple interfaces, remember that the security level designates whether an interface is inside (trusted) or outside (untrusted) relative to another interface. An interface is considered inside in relation to another interface if its security level is higher than the other interface’s security level, and is considered outside in relation to another interface if its security level is lower than the other interface’s security level. The primary rule for security levels is that an interface with a higher security level can access an interface with a lower security level. The nat and global commands work together to enable your network to use any IP addressing scheme and to remain hidden from the external network. An interface with a lower security level cannot access an interface with a higher security level unless you specifically allow it by implementing static and conduit, or static and access list command pairs.
pixfirewall(config)# pixfirewall(config)# ip ip address address 192.168.0.2 192.168.0.2 255.255.255.0 255.255.255.0 pixfirewall(config)# pixfirewall(config)# ip ip address address 255.255.255.0 255.255.255.0 pixfirewall(config)# pixfirewall(config)# ip ip address address 255.255.255.0 255.255.255.0
A third interface is configured as shown in the previous figure. When your PIX Firewall is equipped with three or more interfaces, use the following guidelines to configure it while employing NAT: ■
The outside interface cannot be renamed or given a different security level.
■
An interface is always “outside” with respect to another interface that has a higher security level. Packets cannot flow between interfaces that have the same security level.
■
Use a single default route statement to the outside interface only. Set the default route with the route command.
■
Use the nat command to let users on the respective interfaces start outbound connections. Associate the nat_id with the global_id in the global command statement. The valid identification numbers can be any positive number up to two billion.
■
After you have completed a configuration in which you add, change, or remove a global statement, save the configuration and enter the clear xlate command so that the IP addresses will be updated in the translation table.
■
To permit access to servers on protected networks, use the static and conduit commands.
ip ip address address outside outside 192.168.0.2 192.168.0.2 ip ip address address inside inside 10.0.0.1 10.0.0.1 ip ip address address dmz dmz 172.16.0.1 172.16.0.1 ip ip address address partnernet partnernet 172.18.0.1 172.18.0.1
In the figure above, the PIX Firewall has four interfaces. Users on all interfaces have access to all servers and hosts (inside, outside, DMZ, and partnernet). Configuring four interfaces requires more attention to detail but they are configured with standard PIX Firewall commands. To enable users on a higher security level interface to access hosts on a lower security interface, use the nat and global commands (for example, when users on the inside interface have access to the web server on the DMZ interface). To let users on a lower security level interface (users on the partnernet interface) access hosts on a higher security interface (DMZ), use the static and conduit commands. As seen in the figure above, the partnernet has a security level of 40 and the DMZ has a security level of 50. The DMZ will use nat and global commands to speak with the partnernet and will use statics and conduits to receive traffic from the partnernet.
7-6
Cisco Secure PIX Firewall Advanced 2.1
Copyright 2002, Cisco Systems, Inc.
The following table is a quick reference guide that explains when to use the nat and static commands for configuring varied interfaces in the PIX Firewall. From This Interface
To This Interface
Use This Command
Inside
Outside
nat
Inside
DMZ
nat
Inside
Partnernet
nat
DMZ
Outside
nat
DMZ
Partnernet
nat
DMZ
Inside
static
Partnernet
Outside
nat
Partnernet
DMZ
static
Partnernet
Inside
static
Outside
DMZ
static
Outside
Partnernet
static
Outside
Inside
static
Copyright 2002, Cisco Systems, Inc.
Configuring Multiple Interfaces
7-7
Summary This section summarizes the tasks you learned to complete in this chapter.
Directions Your task in this exercise is to configure the PIX Firewall to work with a perimeter router to protect the campus network from intruders. One PIX Firewall is available for each pod group of two students. Work with your pod partners to perform the following steps in this lab exercise: ■
Task 1—Configure Inside Multiple Interfaces
■
Task 2—Configure Outside Access to the DMZ
Task 1—Configure Inside Multiple Interfaces Configure the PIX Firewall to allow access to the DMZ from the inside and outside network. Perform the following steps to configure the global address pools, NAT, and routing for the DMZ interface: Step 1
Assign one pool of IP addresses for hosts on the public DMZ. pixP(config)# global (dmz) 1 172.16.P.20-172.16.P.254 netmask 255.255.255.0
(where P = pod number) Step 2
Enable use of the name command to map text strings to IP addresses. pixP(config)# names
Step 3
Name the bastion host using the name command. The name configured here will be used in a later lab step. pixP(config)# name 172.16.P.2 bastionhost pixP(config)# show name
(where P = pod number) Step 4
Clear the translation table so that the global IP address will be updated in the table. pixP(config)# clear xlate
Step 5
Write the current configuration to Flash memory. pixP(config)# write memory
Step 6
Test connectivity to the bastion host from your internal host. C:\> ping 172.16.P.2
(where P = pod number) Step 7
Test Web access to your bastion host from the Windows NT server by doing the following sub-steps: 1. Open a web browser on the Windows NT server. 2. Use the web browser to access your bastion host by entering http://172.16.P.2. (where P = pod number) 3. The home page of the bastion host should appear on your web browser. 4. Use the show arp, show conn, and show xlate commands to observe the transaction:
pixP(config)# show xlate Global 172.16.P.20 Local 10.0.P.3 static
pixP(config)# show conn 0 in use, 3 most used TCP out bastionhost:80 in 10.0.P.3:1074 idle 0:00:07 Bytes 380 flags UIO
Step 8
Test FTP access to the bastion host from your Windows NT server by completing the following sub-steps: 1. Establish an FTP session to the bastion host by choosing Start>Run>ftp 172.16.P.2. You have reached the bastion host if you receive the message “Connected to 172.16.P.2.” (where P = pod number) 2. Log into the FTP session. User (172.16.P.2(none)): anonymous 331 Anonymous access allowed, send identity (e-mail name) as password. Password: cisco
3. Quit the FTP session if you were able to connect and log in: ftp> quit.
Task 2—Configure Outside Access to the DMZ Configure the PIX Firewall to permit outside access to hosts in the DMZ. Configure a static and conduit to test communications using ping between perimeter routers and the bastion host, and then configure HTTP and FTP access. Step 1
Create a static translation for your bastion host. Use the hostname configured in a previous lab step for the bastion host at 172.16.P.2. pixP(config)# static (dmz,outside) 192.168.P.11 bastionhost
(where P = pod number) Step 2
Ping a peer bastion host from your internal host as allowed by the conduit via the static. C:\> ping 192.168.Q.11
(where Q = peer pod number) Step 3
View current static translations. pixP(config)# show xlate Global 172.16.P.20 Local 10.0.P.3 Global 192.168.P.10 Local 10.0.P.3 static Global 192.168.P.11 Local bastionhost static
Step 4
Test web access to the bastion hosts of opposite pod groups by completing the following sub-steps 1. Open a web browser on the client PC.
Copyright 2002, Cisco Systems, Inc.
Configuring Multiple Interfaces Lab 7-3
2. Use the web browser to access the bastion host of your peer pod group by entering: http://192.168.Q.11. (where Q = peer pod number) 3. Have an opposite pod group attempt to access your bastion host in the same way. You should be unable to access the IP address of the static mapped to the bastion host of the opposite pod group. Step 5
Test FTP access to the bastion hosts of other pod groups by completing the following sub-steps: 1. On your FTP client, attempt to get into the bastion host of another pod group by choosing Start>Run>ftp 192.168.Q.11. You should be unable to access your peer’s bastion host via FTP. (where Q = peer pod number) 2. Have an opposite pod group use FTP to attempt to get into your bastion host.
Step 6
Configure conduits to allow Web and FTP access to the bastion host from the outside and then test the conduits. Configure the conduits to allow TCP traffic from clients on the outside network to access the DMZ bastion host using the previously configured static. pixP(config)# conduit permit tcp host 192.168.P.11 eq www any pixP(config)# conduit permit tcp host 192.168.P.11 eq ftp any
Step 7
Test Web access to the bastion hosts of opposite pod groups by completing the following sub-steps: 1. Open a web browser on the client PC. 2. Use the web browser to access the bastion host of your peer pod group: http://192.168.Q.11 (where Q = peer pod number) 3. Have an opposite pod group test your static and conduit configuration in the same way. 4. Use the show arp, show conn, and show xlate commands to observe the transaction.
Step 8
Test FTP access to the bastion hosts of other pod groups by completing the following sub-steps: 1. On your client PC, use FTP to get into the bastion host of another pod group by checking: Start>Run>ftp 192.168.Q.11. (where Q = peer pod number) 2. Have an opposite pod group use FTP to get into your bastion host to test your static and conduit configuration. 3. Use the show arp, show conn, and show xlate commands to observe the transaction.
Step 9
Write the current configuration to the terminal and verify that you have entered the previous commands correctly. Your configuration should appear similar to the following: pixP(config)# write terminal Building configuration...
Lab 7-4 Cisco Secure PIX Firewall Advanced 2.1
Copyright 2002, Cisco Systems, Inc.
Building configuration... : Saved : PIX Version 5.3(1) nameif ethernet0 outside security0 nameif ethernet1 inside security100 nameif ethernet2 dmz security50 nameif ethernet3 intf3 security15 nameif ethernet4 intf4 security20 nameif ethernet5 intf5 security25 enable password 8Ry2YjIyt7RRXU24 encrypted passwd 2KFQnbNIdI.2KYOU encrypted hostname pixP fixup protocol ftp 21 fixup protocol http 80 fixup protocol smtp 25 fixup protocol h323 1720 fixup protocol rsh 514 fixup protocol sqlnet 1521 fixup protocol sip 5060 names name 172.16.P.2 bastionhost pager lines 24 no logging timestamp no logging standby no logging console no logging monitor no logging buffered no logging trap logging facility 20 logging queue 512 interface ethernet0 100full interface ethernet1 100full interface ethernet2 100full interface ethernet3 auto shutdown interface ethernet4 auto shutdown interface ethernet5 auto shutdown mtu outside 1500 mtu inside 1500 mtu dmz 1500 mtu intf3 1500 mtu intf4 1500 mtu intf5 1500 ip address outside 192.168.P.2 255.255.255.0 ip address inside 10.0.P.1 255.255.255.0 ip address dmz 172.16.P.1 255.255.255.0 ip address intf3 127.0.0.1 255.255.255.255 ip address intf4 127.0.0.1 255.255.255.255 ip address intf5 127.0.0.1 255.255.255.255 ip audit info action alarm ip audit attack action alarm no failover failover timeout 0:00:00
Copyright 2002, Cisco Systems, Inc.
Configuring Multiple Interfaces Lab 7-5
failover poll 15 failover ip address outside 0.0.0.0 failover ip address inside 0.0.0.0 failover ip address dmz 0.0.0.0 failover ip address intf3 0.0.0.0 failover ip address intf4 0.0.0.0 failover ip address intf5 0.0.0.0 arp timeout 14400 global (outside) 1 192.168.P.20-192.168.P.254 netmask 255.255.255.0 global (dmz) 1 172.16.P.20-172.16.P.254 netmask 255.255.255.0 nat (inside) 1 10.0.P.0 255.255.255.0 0 0 static (inside,outside) 192.168.P.10 10.0.P.3 static (dmz,outside) 192.168.P.11 bastionhost conduit permit icmp any any conduit permit tcp host 192.168.P.10 eq www any conduit permit tcp host 192.168.P.11 eq www any conduit permit tcp host 192.168.P.11 eq ftp any route outside 0.0.0.0 0.0.0.0 192.168.P.1 1 timeout xlate 3:00:00 conn 1:00:00 half-closed 0:10:00 udp 0:02:00 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 si p 0:30:00 sip media 0:02:00 timeout uauth 0:05:00 absolute aaa-server TACACS+ protocol tacacs+ aaa-server RADIUS protocol radius no snmp-server location no snmp-server contact snmp-server community public no snmp-server enable traps floodguard enable no sysopt route dnat isakmp identity hostname telnet timeout 5 ssh timeout 5 terminal width 80 Cryptochecksum:9963c491006b1296815f3437947fab81 : end [OK]
Completion Criteria You have completed this exercise if you were able to reach your bastion host, and another group could reach your bastion host.
Lab 7-6 Cisco Secure PIX Firewall Advanced 2.1
Copyright 2002, Cisco Systems, Inc.
8
Dynamic Host Configuration Protocol Support
Overview This chapter includes the following topics: ■
Objectives
■
Dynamic Host Configuration Protocol
■
The PIX Firewall as a DHCP Server
■
The PIX Firewall as a DHCP Client
■
Summary
■
Lab Exercise
Objectives This section lists the chapter’s objectives.
Objectives
Upon completion of this chapter, you will be able to perform the following tasks: • Explain the function of the DHCP. • Explain the DHCP server and the DHCP client support in the PIX Firewall. • Configure the PIX Firewall as a DHCP server. • Configure the PIX Firewall as a DHCP client.
Dynamic Host Configuration Protocol This section describes the function of the Dynamic Host Configuration Protocol (DHCP) and explains how the Cisco PIX Firewall can use it.
DHCP DHCP can be used to dynamically assign • An IP address and subnet mask. • The IP address of a DNS server. • The IP address of a Windows Internet Name Server (WINS). • A domain name. • A lease length.
DHCP provides automatic allocation of reusable network addresses on a TCP/IP network. This provides ease of administration and dramatically reduces the margin of human error. Without DHCP, IP addresses must be manually entered at each computer or device that requires an IP address. DHCP can also distribute other configuration parameters such as DNS and Windows Internet Name Service (WINS) server addresses and domain names. The host that distributes the addresses and configuration parameters to DHCP clients is called a DHCP server. A DHCP Client is any host using DHCP to obtain configuration parameters. Since DHCP traffic consists of broadcasts and a significant goal of router configuration is to control unnecessary proliferation of broadcast packets, it may be necessary to enable forwarding of DHCP broadcast packets on routers that lie between your DHCP server and its clients. To have the Cisco IOS software forward these broadcasts, use the ip helper-address interface configuration command. The address specified in the command should be that of the DHCP server. Note
Copyright 2002, Cisco Systems, Inc.
WINS registers NetBIOS computer names and resolves them to IP addresses.
Dynamic Host Configuration Protocol Support
8-3
The PIX Firewall as the DHCP Server or Client
The PIX Firewall • Can distribute IP addresses, subnet masks, and other configuration parameters to DHCP clients on the internal network. • Can become a client to a DHCP server.
Any PIX Firewall that runs version 5.2 or higher supports a DHCP server and client. A DHCP server is a device that provides configuration parameters to a DHCP client, and a DHCP client is a device that uses DHCP to obtain network configuration parameters. In a network environment secured by a PIX Firewall, PC clients connect to the PIX Firewall and establish network connections to access an enterprise or corporate network. As a DHCP server, the PIX Firewall provides these PCs (its DHCP clients) the networking parameters necessary for accessing the enterprise or corporate network, and once inside the network, the PIX Firewall provides the network services to use, such as the DNS server. As a DHCP client, the PIX Firewall is able to obtain an IP address, subnet mask, and, optionally, a default route from a DHCP server. Note
8-4
Currently, the PIX Firewall can distribute configuration parameters only to clients that are physically connected to the subnet of its inside interface.
Cisco Secure PIX Firewall Advanced 2.1
Copyright 2002, Cisco Systems, Inc.
The PIX Firewall as a DHCP Server This section explains how to configure the PIX Firewall to act as a DHCP server.
4. DHCPACK—Server acknowledges assignment of 10.0.0.3
www.cisco.com
CSPFA 2.1—8-7
DHCP communication consists of several broadcast messages passed between the DHCP client and DHCP server. The following events occur during this exchange: 1. The client broadcasts a DHCPDISCOVER message on its local physical subnet to locate available DHCP servers. 2. Any reachable DHCP server may respond with a DHCPOFFER message that includes an available network address and other configuration parameters. 3. Based on the configuration parameters offered in the DHCPOFFER messages, the client chooses one server from which to request configuration parameters. The client broadcasts a DHCPREQUEST message requesting the offered parameters from one server and implicitly declining offers from all others. 4. The server selected in the DHCPREQUEST message responds with a DHCPACK message containing the configuration parameters for the requesting client. If the selected server has since become unable to satisfy the DHCPREQUEST (for example, in case the requested network address has already been allocated) the server responds with a DHCPNAK message. The client receives either the DHCPNAK or the DHCPACK containing the configuration parameters. Note
Copyright 2002, Cisco Systems, Inc.
The PIX Firewall DHCP server does not support BOOTP requests and failover configurations.
To enable DHCP server support on the PIX Firewall, complete the following steps:
8-6
Step 1
Assign a static IP address to the inside interface by using the ip address command.
Step 2
Specify a range of addresses for the DHCP server to distribute by using the dhcpd address command.
Step 3
Specify the IP address of the DNS server that the client will use by using the dhcpd dns command. This step is optional.
Step 4
Specify the IP address of the WINS server the client will use by using the dhcpd wins command. This step is also optional.
Step 5
Specify the lease length to grant the client by using the dhcpd lease command.
Step 6
Specify the ping timeout value using the dhcpd ping timeout command. This step is optional.
Step 7
Configure the domain name the client will use by using the dhcpd domain command. This step is optional.
Step 8
Enable the DHCP daemon within the PIX Firewall to listen for DHCP client requests on the enabled interface by using the dhcpd enable command.
Cisco Secure PIX Firewall Advanced 2.1
Copyright 2002, Cisco Systems, Inc.
dhcpd address Command pixfirewall(config)#
dhcpd address ip1[-ip2] [if_name] • This command specifies a range of addresses for DHCP to assign.
pixfirewall(config)# dhcpd address 10.0.0.2–10.0.0.15 inside • The DHCP server assigns addresses 10.0.0.2–10.0.0.15 to DHCP clients on the inside. Addresses are assigned in numerical order starting with 10.0.0.2.
The dhcpd address command specifies the range of IP addresses for the server to distribute. The address pool of a PIX Firewall DHCP server must be within the same subnet as the PIX Firewall interface that is enabled. In other words, the client must be physically connected to the subnet of a PIX Firewall interface. Up to 32 addresses can be included in the pool. The default for the PIX Firewall interface name is the inside interface, which is the only interface currently supported. The no dhcpd address command removes the DHCP server address pool. In the PIX Firewall versions 5.3 and above, the dhcpd ping timeout command is available. The DHCP server pings an address before issuing it to a client. If a response is received for the ping, the address is removed from the pool and is not assigned. The dhcpd ping_timeout command is used to specify how long the DHCP server will wait before allocating an address to a client. The syntax for the dhcpd address command is as follows: dhcpd address ip1[-ip2] [if_name] address ip1 [ip2]
The IP pool address range. The size of the pool is limited to 32 addresses.
if_name
Name of the PIX Firewall interface. The default is the inside interface. The PIX Firewall DHCP server daemon can only be enabled on the inside interface.
Copyright 2002, Cisco Systems, Inc.
Dynamic Host Configuration Protocol Support
8-7
dhcpd dns Command pixfirewall(config)#
dhcpd dns dns1 [dns2] • Specifies the IP address of the DNS server the client will use (optional)
pixfirewall(config)# dhcpd dns 10.0.0.20 • The DHCP server notifies the DHCP client that 10.0.0.20 is the address of the DNS server to use
The dhcpd dns command specifies the IP address of the DNS server for DHCP clients. Up to two DNS servers can be specified with this command. Use the no dhcpd dns command to remove the DNS IP addresses from your configuration. The syntax for the dhcpd dns command is as follows: dhcpd dns dns1 [dns2] dns dns1 [dns2]
8-8
Cisco Secure PIX Firewall Advanced 2.1
The IP addresses of the DNS servers for the DHCP client. The second server address is optional.
Copyright 2002, Cisco Systems, Inc.
dhcpd wins Command pixfirewall(config)#
dhcpd wins wins1 [wins2] • Specifies the IP address of the WINS server that the client will use (optional)
pixfirewall(config)# dhcpd wins 10.0.0.21 • The DHCP server notifies the DHCP client that it will use 10.0.0.21 as its WINS server
The dhcpd wins command can be used to specify up to two WINS servers for DHCP clients to use. This command is optional. The no dhcpd wins command removes the WINS server IP addresses from your configuration. The syntax for the dhcpd wins command is as follows: dhcpd wins wins1 [wins2] wins wins1 [wins2]
Copyright 2002, Cisco Systems, Inc.
The IP addresses of the Microsoft NetBios name servers (WINS servers). The second server address is optional.
Dynamic Host Configuration Protocol Support
8-9
dhcpd lease Command pixfirewall(config)#
dhcpd lease lease_length • Specifies the lease length to grant the client • Default = 3600 seconds
pixfirewall(config)# dhcpd lease 3600 • The DHCP clients can use their allocated leases for 3600 seconds
The dhcpd lease command specifies the amount of time in seconds, that the client can use the assigned IP address. The default is 3600 seconds. The minimum lease length is 300 seconds, and the maximum lease length is 2,147,483,647 seconds. The syntax of the dhcpd lease command is as follows: dhcpd lease lease_length lease lease_length
8-10
Cisco Secure PIX Firewall Advanced 2.1
The length of the lease in seconds granted to the DHCP client from the DHCP server. The lease indicates how long the client can use the assigned IP address. The default is 3,600 seconds. The minimum lease length is 300 seconds, and the maximum is 2,147,483,647 seconds.
Copyright 2002, Cisco Systems, Inc.
dhcpd ping_timeout Command pixfirewall(config)#
dhcpd ping_timeout timeout • Specifies the length of time the DHCP server waits before allocating an address to a client. • Default = 750 milliseconds
pixfirewall(config)# dhcpd ping_timeout 10000 • The DHCP server waits 10000 milliseconds (10 seconds) before allocating an address to a client.
To avoid IP address conflicts, the DHCP server in the PIX Firewall pings an address before issuing it to a client. If a response to the ping is received, the PIX Firewall removes the address from its pool of DHCP addresses. In PIX Firewall software versions 5.3 and higher, the amount of time, in milliseconds, that the DHCP server waits for a response is configurable using the dhcpd ping_timeout command. The default value is 750 milliseconds. The minimum value is 100, and the maximum is 10000. The no dhcpd ping_timeout command can be used to reset the timeout value to the default. The syntax of the dhcpd ping_timeout command is as follows: dhcpd ping_timeout timeout ping_timeout timeout
Copyright 2002, Cisco Systems, Inc.
Specifies the amount of time the DHCP server waits before allocating an address to a client.
Dynamic Host Configuration Protocol Support
8-11
dhcpd domain Command pixfirewall(config)#
dhcpd domain domain_name • Specifies the domain name the client will use (optional)
pixfirewall(config)# dhcpd domain cisco.com • The DHCP server notifies the client that the domain name is cisco.com
You can configure the domain name the client will use with the dhcpd domain command. This is an optional step in configuring the PIX Firewall as a DHCP server. Use the no form of the command to remove a configured domain name. The syntax of the dhcpd domain command is as follows: dhcpd domain domain_name domain domain_name
8-12
Cisco Secure PIX Firewall Advanced 2.1
The DNS domain name (for example, example.com).
Copyright 2002, Cisco Systems, Inc.
dhcpd enable Command pixfirewall(config)#
dhcpd enable [if_name] • Enables the DHCP daemon within the PIX Firewall to listen for DHCP client requests on the enabled interface
pixfirewall(config)# dhcpd enable inside • The DHCP server feature is enabled on the inside interface
Enable the DHCP daemon within the PIX Firewall to listen for DHCP client requests on the enabled interface by executing the dhcpd enable command. Currently, you can only enable the DHCP server feature on the inside interface, which is the default. Use the no form of the command to disable the DHCP daemon. The syntax of the dhcpd enable command is as follows: dhcpd enable [if_name] if_name
Copyright 2002, Cisco Systems, Inc.
Name of the PIX Firewall interface. The default is the inside interface. The DHCP server daemon can only be enabled on the inside interface.
Dynamic Host Configuration Protocol Support
8-13
debug dhcpd and clear dhcpd Commands pixfirewall(config)#
debug dhcpd event | packet • Displays information associated with the DHCP server pixfirewall(config)#
clear dhcpd • Removes all dhcpd command statements from the configuration
The debug dhcpd command displays information associated with the DHCP server. Use the debug dhcpd event command to display event information about the DHCP server, and use the debug dhcpd packet command to display packet information about the DHCP server. Use the no form of the debug dhcpd command to disable debugging. The syntax of the debug dhcpd command is as follows: debug dhcpd event | packet dhcpd event
Displays event information associated with the DHCP server.
dhcpd packet
Displays packet information associated with the DHCP server.
The clear dhcpd command can be used to clear all dhcpd commands, and binding and statistics information. Use the clear dhcpd command with no options to remove all dhcpd command statements from the configuration. The syntax of the clear dhcpd command is as follows: clear dhcpd [binding | statistics]
8-14
bindings
The binding information for a given server IP address and its associated client hardware address and lease length.
statistics
Statistical information, such as address pool, number of bindings, malformed messages, sent messages, and received messages.
Cisco Secure PIX Firewall Advanced 2.1
Copyright 2002, Cisco Systems, Inc.
The PIX Firewall as a DHCP Client This section explains how to configure your PIX Firewall as a DHCP client.
ip address dhcp Command pixfirewall(config)#
ip address if_name dhcp [setroute] • This command enables the DHCP client feature on the specified PIX Firewall interface.
Use the ip address dhcp command to enable the DHCP client feature on the PIX Firewall. DHCP client support within the PIX Firewall is designed for use within small office or home office environments using a PIX Firewall that is directly connected to a DSL or cable modem that supports the DHCP server function. The outside PIX Firewall interface can acquire its address and subnet mask (and optionally, a default route) from a DHCP server. This address can then be used as the PAT global address. This makes it unnecessary for the ISP to assign a static IP address to the PIX Firewall unit. In software versions 6.0 and higher, the ip address command has been enhanced to enable you to enter the number of times the PIX Firewall polls for DHCP information. Use the ip address outside dhcp command to enable the PIX Firewall to retry a poll for DHCP information. The syntax of the ip address dhcp commands are as follow: ip address if_name dhcp [setroute] ip address outside dhcp [setroute] [retry retry_cnt] if_name
The internal or external interface name designated by the nameif command.
dhcp
Enables the DHCP client feature on the specified interface.
setroute
This option tells the PIX Firewall to set the default route using the default gateway parameter the DHCP server returns.
Copyright 2002, Cisco Systems, Inc.
Dynamic Host Configuration Protocol Support
8-15
8-16
outside
Interface from which the PIX Firewall polls for information.
retry
Enables the PIX Firewall to retry a poll for DHCP information.
retry_cnt
Specifies the number of times a PIX Firewall polls for DHCP information. The values available are 4 to 16. If no value is specified, the default is 4.
Cisco Secure PIX Firewall Advanced 2.1
Copyright 2002, Cisco Systems, Inc.
debug dhcpc Commands pixfirewall(config)#
debug dhcpc packet • Displays packet information associated with the DHCP client
The debug dhcpc packet, debug dhcpc detail, and debug dhcpc error commands display information associated with the DHCP lease. Use the no form of these commands to disable debugging. The syntax of the debug dhcpc command is as follows: debug dhcpc detail | error | packet dhcpc detail
Displays detailed information about the DHCP client packets.
dhcpc error
Displays error messages associated with the DHCP client.
dhcpc packet
Displays packet information associated with the DHCP client.
Copyright 2002, Cisco Systems, Inc.
Dynamic Host Configuration Protocol Support
8-17
dhcpd auto_config Command pixfirewall(config)#
dhcpd auto_config[client_ifx_name] • Enables the PIX Firewall to automatically configure DNS, WINS, and domain name values from the DHCP client to the DHCP server.
The PIX Firewall can be a DHCP server, a DHCP client, or a DHCP server and client simultaneously. DHCP server and client support enables you to automatically leverage the DNS, WINS, and domain name values obtained by the PIX Firewall DHCP client for use by the hosts served by the PIX Firewall’s DHCP server. Use the dhcpd auto_config command to enable the PIX Firewall to automatically pass configuration parameters it receives from a DHCP server to its own DHCP clients. DHCP must be enabled with the dhcpd enable command in order to use the dhcpd auto_config command. To disable the auto_config feature, use the no dhcpd auto_config command. The syntax of the dhcp auto_config command is as follows: dhcpd auto_config [client_ifx_name] no dhcpd auto_config [client_ifx_name]
8-18
auto_config
Enables the PIX Firewall to automatically configure DNS, WINS, and domain name values from the DHCP client to the DHCP server.
client_ifx_name
Supports only the outside interface at this time. When more interfaces are supported, this argument will specify which interface supports the DHCP auto_config feature.
Cisco Secure PIX Firewall Advanced 2.1
Copyright 2002, Cisco Systems, Inc.
Summary This section summarizes the information you learned in this chapter.
Summary
• DHCP can be used to assign IP addresses, subnet masks, and other configuration parameters. • The PIX Firewall can become a DHCP server or a DHCP client. • Use the dhcpd address, dhcpd lease, and dhcpd enable commands to configure the PIX Firewall as a DHCP server. • Use the ip address dhcp command to configure the PIX Firewall as a DHCP client.
Lab Exercise—Configure the PIX Firewall’s DHCP Server and Client Features Complete the following lab exercise to practice what you learned in this chapter. This lab exercise is divided into two sections: Configure the PIX Firewall’s DHCP Server Feature and Configure the PIX Firewall’s DHCP Client Feature
Configure the PIX Firewall’s DHCP Server Feature Complete the following section to practice what you learned in this chapter.
Objectives In this lab exercise, you will complete the following tasks: ■
Verify the PIX Firewall’s inside IP address.
■
Configure the PIX Firewall’s DHCP server Feature.
■
Test the PIX Firewall’s DHCP server feature.
■
Disable the DHCP on the NT server.
■
Disable the PIX Firewall’s DHCP server feature.
Visual Objective
Lab Visual Objective 172.26.26.0/24
Internet .2
.50 Backbone server web, FTP, and TFTP server 192.168.P.0/24
Dynamic Host Configuration Protocol Support Lab 8-1
Task 1—Verify the PIX Firewall’s Inside IP Address Complete the following steps to verify the PIX Firewall’s inside IP address: Step 1
Display the currently configured IP addresses: pixP(config)# show ip address
Step 2
Ensure that the IP address on the inside interface is 10.0.P.1. (where P = pod number)
Step 3
Establish a connection to the web server at 172.26.26.50 by completing the following sub-steps: 1. Open a web browser on your Windows NT server. 2. Use the web browser to access the web server by entering : http://172.26.26.50
Task 2—Configure the PIX Firewall’s DHCP Server Feature Complete the following steps to configure the PIX Firewall’s DHCP Server feature: Step 1
Specify a range of addresses for the DHCP server to distribute: pixP (config)# dhcpd address 10.0.P.51-10.0.P.60 inside
(where P = pod number) Step 2
Specify the IP address of the DNS server the client will use: pixP (config)# dhcpd dns 10.0.P.75
(where P = pod number) Step 3
Specify the IP address of the WINS server the client will use: pixP (config)# dhcpd wins 10.0.P.76
(where P = pod number) Step 4
Specify the lease length to grant the client: pixP (config)# dhcpd lease 3000
Step 5
Configure the domain name the client will use: pixP (config)# dhcpd domain cisco.com
Step 6
Enable the DHCP daemon within the PIX Firewall to listen for DHCP client requests on the enabled interface: pixP (config)# dhcpd enable inside
Step 7
Display the DHCP configuration and binding: pixP (config)# show dhcpd dhcpd address 10.0.P.51-10.0.P.60 inside dhcpd dns 10.0.P.75 dhcpd wins 10.0.P.76 dhcpd lease 3000 dhcpd ping_timeout 750 dhcpd domain cisco.com dhcpd enable inside
Lab 8-2 Cisco Secure PIX Firewall Advanced 2.1
Copyright 2002, Cisco Systems, Inc.
Step 8
Save your DHCP configuration: pixP (config)# write memory
Task 3—Test the PIX Firewall’s DHCP Server Feature Complete the following steps to test the PIX Firewall’s DHCP server feature: Step 1
Right-click the My Network Places desktop icon and choose Properties. The Network and Dial-up Connections window opens.
Step 2
Double-click the Local Area Connection icon. The Local Area Connection Status window opens.
Step 3
Click Properties. The Local Area Connection Properties window opens.
Step 4
Select the Internet Protocol (TCP/IP) component and click Properties. The Internet Protocol (TCP/IP) Properties window opens.
Step 5
Select the Obtain an IP address automatically option.
Step 6
Click OK to close the Internet Protocol (TCP/IP) Properties window.
Step 7
Click OK to close the Local Area Connection Properties window. It may take a few moments for the window to close.
Step 8
Close the Local Area Connection Status window.
Step 9
Close the Network and Dial-up Connections window.
Step 10
Open a Windows NT command prompt, and release and renew your IP address: C:\> ipconfig /release C:\> ipconfig /renew
Step 11 Verify that the PIX Firewall assigned an IP address, subnet mask, DNS address,
WINS address, and domain name to your NT server by opening a Windows NT command prompt and viewing the IP configuration: C:\> ipconfig /all
Step 12 Establish a connection to the web server at 172.26.26.50:
1. Open a web browser on your Windows NT Server. 2. Use the web browser to access the web server by entering: http://172.26.26.50.
Task 4—Disable the DHCP on the NT Server Complete the following steps to display DHCP on the NT Server: Step 1
Right-click the My Network Places icon on your Windows NT desktop and choose Properties. The Network and Dial-up Connections window opens.
Step 2
Double-click the Local Area Connection icon. The Local Area Connection Status window opens.
Step 3
Click Properties. The Local Area Connection Properties window opens.
Step 4
Select the Internet Protocol (TCP/IP) component and click Properties. The Internet Protocol (TCP/IP) Properties window opens.
Step 5
Select the Specify an IP address option.
Copyright 2002, Cisco Systems, Inc.
Dynamic Host Configuration Protocol Support Lab 8-3
Step 6
Enter 10.0.P.3 in the IP Address text box. (where P = pod number)
Step 7
Enter 255.255.255.0 in the Subnet Mask text box.
Step 8
Enter 10.0.P.1 in the Default Gateway text box. (where P = pod number)
Step 9
Click the Advanced button. The Advanced TCP/IP Settings window opens.
Step 10 Click Add within the IP Addresses group box. Step 11 In the TCP/IP Address box, enter 10.1.P.3 as the IP address and 255.255.255.0 as
the Subnet Mask. (where P = pod number) Step 12 Click Add. Step 13 Click OK to close the Advanced TCP/IP Settings window. Step 14 Click OK to close the Internet Protocol (TCP/IP) Properties window. Step 15 Click OK to close the Local Area Connection Properties window. It may take a
few moments for the window to close. Step 16 Close the Local Area Connection Status window. Step 17 Close the Network and Dial-up Connections window. Step 18 Restart the computer. Step 19 Log back into your computer. Step 20 At a Windows NT command prompt, verify that the configuration supplied by the
PIX Firewall’s DHCP server has been removed, and that the following IP configuration exists on your Windows NT computer: C:\> ipconfig /all ■
Hostname—NTP
■
DNS Server—(blank)
■
DHCP Enabled—no
■
IP Address—10.1.P.3 (where P = pod number)
■
Subnet Mask—255.255.255.0
■
IP Address—10.0.P.3 (where P = pod number)
■
Subnet Mask—255.255.255.0
■
Default Gateway—10.0.P.1 (where P = pod number)
Lab 8-4 Cisco Secure PIX Firewall Advanced 2.1
Copyright 2002, Cisco Systems, Inc.
Task 5—Disable the PIX Firewall’s DHCP Server Feature Complete the following steps to disable PIX Firewall’s DHCP server feature: Step 1
From a Windows NT command prompt, telnet to the backbone router. C:\> telnet 10.0.P.100
(where P = pod number) Step 2
When prompted for a password, enter cisco.
Step 3
Connect to your PIX Firewall: rbb> pPp
(where P = pod number) Step 4
Clear all dhcpd commands, binding, and statistics information: pixP (config)# clear dhcpd
Step 5
Verify that the DHCP feature has been disabled: pixP (config)# show dhcpd
Step 6
Save your current configuration: pixP(config)# write memory
Copyright 2002, Cisco Systems, Inc.
Dynamic Host Configuration Protocol Support Lab 8-5
Configure the PIX Firewall’s DHCP Client Feature Complete the following section to configure the PIX Firewall’s DHCP client feature.
Objectives In this lab exercise, you will complete the following tasks: ■
Configure the PIX Firewall to use its outside interface address for PAT.
■
Configure your router to pass DHCP broadcasts.
■
Configure the PIX Firewall’s DHCP client feature.
■
Test the DHCP client and PAT.
■
Remove the DHCP client configuration.
Visual Objectives
Lab Visual Objective 172.26.26.0/24
Internet
DHCP pool 192.168.P.75-192.168.P.99
.2
.50 Backbone server DHCP, web, FTP, and TFTP server 192.168.P.0/24
Setup Before starting this lab exercise, access the PIX Firewall console using Telnet.
Lab 8-6 Cisco Secure PIX Firewall Advanced 2.1
Copyright 2002, Cisco Systems, Inc.
Task 1—Configure the PIX Firewall to Use its Outside Interface Address for PAT Complete the following steps to configure the PIX Firewall to use its outside interface address for PAT: Step 1
Remove the following currently configured global pool and static mapping. pixP(config)# no global (outside) 1 192.168.P.20-192.168.P.254 pixP(config)# no static (inside,outside) 192.168.P.10 10.0.P.3
(where P = pod number) Step 2
Configure PAT to use the outside interface address: pixP(config)# global (outside) 1 interface
(where P = pod number)
Task 2—Configure Your Router to Pass DHCP Broadcasts Complete the following steps to configure your router to pass DHCP broadcast: Step 1
From a Windows NT command prompt, telnet to the backbone router: C:\> telnet 10.0.P.100
(where P = pod number) Step 2
When prompted for a password, enter cisco.
Step 3
Connect to your perimeter router: rbb> rP
(where P = pod number) Step 4
Enter privileged mode: rP> enable
Step 5
When prompted for a password, enter cisco.
Step 6
Enter global configuration mode: rP# configure terminal
Step 7
Access the inside interface: rP(config)# interface e0/0
Step 8
Configure the router to pass DHCP broadcast traffic. Because the backbone server is the DHCP server, use its address,172.26.26.50, as the IP helper address. rP(config-if)# ip helper-address 172.26.26.50
Step 9
Exit configuration mode by pressing Ctrl+Z.
Step 10 Save your configuration: rP# write memory
Copyright 2002, Cisco Systems, Inc.
Dynamic Host Configuration Protocol Support Lab 8-7
Task 3—Configure the PIX Firewall’s DHCP Client Feature Complete the following steps to configure the PIX Firewall’s DHCP client feature: Step 1
Connect again to your PIX Firewall, enter configuration mode, and remove the currently configured IP addresses: pixP (config)# clear ip address
Step 2
Configure the inside IP address: pixP(config)# ip address inside 10.0.P.1 255.255.255.0
(where P = pod number) Step 3
Configure the PIX Firewall to retrieve its outside IP address from a DHCP server: pixP (config)# ip address outside dhcp
Step 4
Notice the IP address assigned to the PIX Firewall.
Task 4—Test the DHCP Client and PAT Complete the following steps to test the DHCP client and PAT: Step 1
Clear the translation table: pixP(config)# clear xlate
Step 2
Assure that the translation table is clear: pixP(config)# show xlate
Step 3
Test the use of the DHCP-retrieved address for PAT: 1. Open a web browser on your Windows NT Server. 2. Use the web browser to access the backbone server: by entering http://172.26.26.50.
Step 4
View the translation table to see the address used for PAT: pixP(config)# show xlate
Task 5—Remove the DHCP Client Configuration Complete the following remove the DHCP client configuration: Step 1
Disable the DHCP client feature. pixP(config)# no ip address outside dhcp
Step 2
Remove the dynamically assigned IP address: pixP(config)# clear ip address
Step 3
Assign static addresses to the inside, outside, and DMZ interfaces: pixP(config)# ip address outside 192.168.P.2 255.255.255.0 pixP(config)# ip address inside 10.0.P.1 255.255.255.0 pixP(config)# ip address dmz 172.16.P.1 255.255.255.0
(where P = pod number)
Lab 8-8 Cisco Secure PIX Firewall Advanced 2.1
Copyright 2002, Cisco Systems, Inc.
Step 4
Verify that the static addresses are in place and that the interfaces are up: pixP(config)# show interface
Step 5
Remove the global command that uses the interface option: pixP(config)# no global (outside) 1 interface
Step 6
Reinstate the global pool and static mapping you removed earlier. pixP(config)# global (outside) 1 192.168.P.20-192.168.P.254 netmask 255.255.255.0 pixP(config)# static (inside,outside) 192.168.P.10 10.0.P.3
(where P = pod number) Step 7
Save your configuration. pixP(config)# write memory
Copyright 2002, Cisco Systems, Inc.
Dynamic Host Configuration Protocol Support Lab 8-9
Lab 8-10 Cisco Secure PIX Firewall Advanced 2.1
Copyright 2002, Cisco Systems, Inc.
9
Configuring Syslog
Overview This chapter includes the following topics: ■
Objectives
■
Syslog messages
■
Summary
■
Lab exercise
Objectives This section lists the chapter’s objectives.
Objectives Upon completion of this chapter, you will be able to perform the following tasks: • Configure Syslog message output to the PIX Firewall buffer. • Configure the PIX Firewall to forward Syslog messages to a Syslog server.
The PIX Firewall generates Syslog messages for system events, such as alerts and resource depletion. Syslog messages may be used to create e-mail alerts and log files, or displayed on the console of a designated Syslog host. If you do not already have a Syslog server at your place of business, you can download a copy of the software from the Cisco Connection Online web site. The PIX Firewall can send Syslog messages to any Syslog server. In the event that all Syslog servers or hosts are offline, the PIX Firewall stores up to 100 messages in its memory. Subsequent messages that arrive overwrite the buffer starting from the first line.
Copyright 2002, Cisco Systems, Inc.
Configuring Syslog
9-3
Syslog Messages The PIX Firewall sends Syslog messages to document the following events: • Security • Resources • System • Accounting
Use the logging buffered command to specify what Syslog messages appear on the PIX Firewall console as each message occurs: logging buffered level. You can limit the types of messages that appear on the console with level. Note
Cisco recommends that you do not use this command in production mode because its use degrades PIX Firewall performance.
Use the show logging command to list the current message buffer. Use the clear logging command to clear the message buffer. New messages append to the end of the buffer. Use the logging message command to specify a message to be allowed. Use with the no command to suppress a message. All Syslog messages are permitted unless explicitly disallowed. The “PIX Startup begin” message cannot be blocked and neither can more than one message per command statement. Specify a message number to disallow or allow. If a message is listed in the Syslog as %PIX-1101001, use “101001” as the syslog_id. Refer to the System Log Messages for the Cisco Secure PIX Firewall Version 5.1 guide for message numbers. PIX Firewall documentation is available online: www.cisco.com/univercd/cc/td/doc/product/iaabu/pix Use the logging standby command to allow a failover standby PIX Firewall unit to send Syslog messages. This option is disabled by default. Enabling it ensures that the Standby PIX Firewall’s Syslog messages stay synchronized if failover occurs; however, it doubles the amount of traffic on the Syslog server. You can disable this feature with the no logging standby command.
Copyright 2002, Cisco Systems, Inc.
Configuring Syslog
9-5
The following table shows the commands used in configuring a Syslog server.
9-6
Buffered
Sends Syslog messages to an internal buffer that can be viewed with the show logging command.
Show
Lists which logging options are enabled. If the logging buffered command is in use, the show logging command lists the current message buffer.
Clear
Clears the buffer for use with the logging buffered command.
Message
Specifies a message to be allowed. Use with the no command to suppress a message. Use the clear logging disabled command to reset the disallowed messages to the original set. Use the show message disabled command to list the suppressed messages you specified with the no logging message command. All Syslog messages are permitted unless explicitly disallowed. The “PIX Startup begin" message cannot be blocked and neither can more than one message per command statement.
Syslog_id
Specifies a message number to disallow or allow. If a message is listed in Syslog as %PIX-1-101001, use "101001" as the syslog_id. Refer to the System Log Messages for the Cisco Secure PIX Firewall Version 5.1 guide for message numbers. PIX Firewall documentation is available online: www.cisco.com/univercd/cc/td/doc/product/iaabu/pix
Standby
Allows the failover standby PIX Firewall to send Syslog messages. This option is disabled by default. You can enable it to ensure that the Standby PIX Firewall’s Syslog messages stay synchronized if failover occurs. However, this option causes twice as much traffic on the Syslog server. This feature can be disabled with the no logging standby command.
Cisco Secure PIX Firewall Advanced 2.1
Copyright 2002, Cisco Systems, Inc.
Configure Message Output to a Syslog Server pixfirewall(config)#
To send messages to a Syslog server, complete the following: Step 1
Designate a host to receive the messages with the logging host command: logging host [in_if_name] ip_address [protocol / port]
Replace in_if_name with the interface on which the server exists and ip_address with the IP address of the host. If the Syslog server is receiving messages on a non-standard port, you can replace a protocol with a UDP, and port with the new port value. The default protocol is UDP with a default port of 514, and the allowable range for changing the value is 1025 through 65535. You can also specify TCP with a default of 1470, and the allowable range is 1025 through 65535.
Step 2
Note
Multiple logging host commands are allowed for the PIX Firewall to send Syslog messages to multiple servers, but only one protocol, UDP or TCP, is permitted for a specific Syslog server. A subsequent command statement overrides the previous one.
Note
The PIX Firewall sends only TCP Syslog messages to the PIX Firewall Syslog Server.
Specify the logging levels that will be forwarded to the Syslog server with the logging trap command: logging trap level
Copyright 2002, Cisco Systems, Inc.
Configuring Syslog
9-7
Configure Message Output to a Syslog Server (cont.) pixfirewall(config)#
logging facility facility • Step 3—Set the facility marked on all messages. pixfirewall(config)#
Specify the logging facility to which the PIX Firewall will assign the Syslog messages with the logging facility command: logging facility facility
Because network devices share the eight facilities, logging facility enables you to set the facility marked on all messages. Step 4
If you want to send time-stamped messages to a Syslog server, use the logging timestamp command to enable time stamping. To disable time-stamp logging, use the no logging timestamp command.
Step 5
Start sending messages with the logging on command. To disable sending messages use the no logging on command. The following table shows the commands used in configuring a Syslog server. host
Specifies a Syslog server that will receive the messages sent from the PIX Firewall. You can use multiple logging host commands to specify additional servers that would all receive messages.
trap
Traps less than or equal the level for the logging host. Also enables sending SNMP messages at less than or equal to the level you specify.
level
Specifies the Syslog message level as a number or string. The level you specify means that you want to use that level and those less than the level. Possible number and string level values follow: 0−emergencies—System unusable messages 1−alerts—Take immediate action 2−critical—Critical condition 3−errors—Error message 4−warnings—Warning message 5−notifications—Normal but significant condition 6−informational—Information message 7−debugging—Debug messages and log FTP commands and WWW URLs
9-8
Cisco Secure PIX Firewall Advanced 2.1
Copyright 2002, Cisco Systems, Inc.
facility
Specifies the Syslog facility. The default is 20.
facility
There are eight facilities: LOCAL0(16) through LOCAL7(23). The default is LOCAL4(20). Hosts file the messages based on the facility number in the message.
timestamp
Specifies that Syslog messages sent to the Syslog server should have a time stamp value on each message.
on
Start sending Syslog messages to all output locations. Stop all logging with the no logging on command.
in_if_name
Interface on which the Syslog server resides.
ip_address
Syslog server’s IP address.
Copyright 2002, Cisco Systems, Inc.
Configuring Syslog
9-9
Summary This section summarizes what you have learned in this chapter.
Summary
• The PIX Firewall can generate Syslog messages for system events. • Syslog messages can be sent to the PIX Firewall buffer. • The PIX Firewall can forward Syslog messages to any Syslog server.
Lab Exercise—Configure Syslog Output to a Syslog Host or Server from the PIX Firewall Complete the following lab to practice what you learned in this chapter.
Objectives In this lab exercise you will complete the following tasks: ■
Configure Syslog output.
■
Configure Syslog output to a Syslog server.
Visual Objective The following illustration displays the configuration you will complete in this lab exercise.
Lab Visual Objective Internet
Pod perimeter router .1 192.168.P.0/24 e0 outside .2 172.16.P.0/24
Setup Before starting this lab exercise, set up your equipment as follows: ■
Copyright 2002, Cisco Systems, Inc.
Verify that the PIX Firewall is turned on and that your PC is connected to the PIX Firewall.
Configuring Syslog Lab 9-1
■
Verify that you have a floppy diskette created from the following files: your version and rawrite.exe.
Directions In this lab exercise you will configure the PIX Firewall to send Syslog messages to a Syslog server or host. Work with your lab partner to perform the following steps in this lab exercise: ■
Task 1—Configure Syslog Output
■
Task 2—Configure Syslog Output to a Syslog Server
Task 1—Configure Syslog Output Perform the following steps and enter the commands as directed to configure Syslog output: Step 1
Enable Syslog logging. pixP(config)# logging on
Step 2
Begin storing messages to the PIX Firewall message buffer and set the logging level to debugging. pixP(config)# logging buffered debugging
Step 3
Clear the translate table, and then open a new Telnet window. Go to the perimeter router and ping your inside host. pixP(config)# clear xlate rP> ping 192.168.P.10
(where P = pod number) Step 4
View the Syslog messages with the show logging command. New messages appear at the end of the display. pixP(config)# show logging Syslog logging: enabled Timestamp logging: disabled Standby logging: disabled Console logging: disabled Monitor logging: disabled Buffer logging: level debugging, 10 messages logged Trap logging: disabled History logging: disabled 305002: Translation built for gaddr 192.168.P.10 to laddr 10.0.P.3
Step 5
Clear messages in the buffer and verify they are cleared. pixP(config)# clear logging pixP(config)# show logging
Step 6
Set the logging buffered command back to a minimal level. pixP(config)# logging buffered alerts
Lab 9-2 Cisco Secure PIX Firewall Advanced 2.1
Copyright 2002, Cisco Systems, Inc.
Task 2—Configure Syslog Output to a Syslog Server The instructor will provide you with the procedures for access to a Syslog server or host. This varies according to the type of Syslog server used for your classroom environment. Note
Step 1
Check to verify that the Syslog server or host is turned on and that the Syslog service is installed and started.
Designate a host to receive the messages with the logging host command. For normal Syslog operations to any Syslog server, use the default message protocol,. pixP(config)# logging host inside 10.0.P.3
(where P = pod number) Step 2
Set the logging level to the Syslog server or host with the logging trap command. This command is used to start sending messages to the Syslog server or host. For level, refer back to the command reference table at the beginning of this exercise. pixP(config)# logging trap debugging
Step 3
Start sending messages. pixP(config)# logging on
Step 4
From your Windows command line, telnet to your perimeter router. C:\> telnet 192.168.P.1
(where P = pod number) Step 5
Go to the Syslog server or host, and locate the file that contains the Syslog messages sent by the PIX Firewall Syslog. Your instructor will inform you of file locations, as this varies according to your lab environment. <166>%PIX-6-302010: 0 in use, 1 most used <166>%PIX-6-302001: Built outbound TCP connection for faddr 192.168.P.1/23 gaddr 192.168.P.10/3104 laddr 10.0.P.3/3104
Copyright 2002, Cisco Systems, Inc.
Configuring Syslog Lab 9-3
Lab 9-4 Cisco Secure PIX Firewall Advanced 2.1
Copyright 2002, Cisco Systems, Inc.
10
Access Control Configuration and Content Filtering
Overview This chapter includes the following topics: ■
Objectives
■
Access control lists
■
Converting conduits to access control lists
■
Configuring access control
■
Malicious active code filtering
■
URL filtering
■
Summary
■
Lab exercise
Objectives This section lists the chapter’s objectives.
Access Control Lists This section discusses access control through the Cisco Secure PIX Firewall using an access control list (ACL).
Access Control List • An ACL enables you to determine what traffic will be allowed or denied through the PIX Firewall. • ACLs are applied per interface (traffic is analyzed inbound relative to an interface). • The access-list and access-group commands are used to create an ACL. • The access-list and access-group commands are an alternative for the conduit and outbound commands.
An ACL is a list kept by routers and the PIX Firewall to control access to and from the router or firewall (for example, to prevent packets with a certain IP address from leaving a particular interface). An ACL is implemented using two commands: the access-list command and the access-group command. Use the access-list command to create an ACL. The access-group command binds the ACL to a specific interface on the router or PIX Firewall. Only one ACL can be bound to an interface using the access-group command. The access-list and access-group commands are an alternative to the outbound command statement. The access-list and access-group commands also take precedence over the outbound command statement. Note
Copyright 2002, Cisco Systems, Inc.
Cisco recommends using the access-list and access-group commands for ACLs instead of the outbound command because the outbound command is a PIX Firewall-specific command and Cisco is moving toward commands that are based on the Cisco IOS.
Access Control Configuration and Content Filtering
The access-list command follows the same principles and guidelines as conduits when permitting or denying traffic. The following are guidelines to use when designing and implementing ACLs: ■
■
10-4
Higher to lower security –
The traffic is to be restricted outbound.
–
The source address argument of the ACL command is the actual address of the host or network.
Lower to higher –
Traffic is to be restricted inbound to a higher security level network or host.
–
The destination host must have a statically mapped address.
–
The destination address argument of the ACL command is the “global ip” address assigned in the static command.
Cisco Secure PIX Firewall Advanced 2.1
Copyright 2002, Cisco Systems, Inc.
access-list Command pixfirewall(config)#
access-list acl_name [deny | permit] protocol {src_addr | local_addr} {src_mask | local_mask} operator port {destination_addr | remote_addr} {destination_mask | remote_mask} operator port • Enables you to create an ACL • ACLs associated with IPSec are known as “crypto” ACLs
The access-list command lets you specify if an IP address is permitted or denied access to a port or protocol. In this document, one or more access-list command statements with the same ACL name are referred to as an “access list.” Access lists associated with IPSec are known as “crypto access lists.” By default, all access in an access list is denied. You must explicitly permit it. The show access-list command lists the access-list command statements in the configuration. The show access-list command also lists a hit count that indicates the number of times an element has been matched during an access-list command search. The clear access-list command removes all access-list command statements from the configuration.
CAUTION This command also stops all traffic through the PIX Firewall on the affected access-list command statements.
The no access-list command removes an access-list command from the configuration. If you remove all the access-list command statements in an access list group, the no access-list command also removes the corresponding accessgroup command from the configuration. Note
Copyright 2002, Cisco Systems, Inc.
The access-list command uses the same syntax as the Cisco IOS software access-list command except that the subnet mask in the PIX Firewall access-list command is reversed from the Cisco IOS software version of this command. For example, a subnet mask specified as 0.0.0.255 in the Cisco IOS access-list command would be specified as 255.255.255.0 in the PIX Firewall access-list command.
Access Control Configuration and Content Filtering
10-5
The syntax for the access-list commands is as follows: access-list acl_name [deny | permit] protocol { src_addr | local_addr} {src_mask | local_mask} operator port { destination_addr | remote_addr}{ destination_mask | remote_mask} operator port no access-list acl_name [deny | permit] protocol { src_addr | local_addr} {src_mask | local_mask} operator port { destination_addr | remote_addr}{ destination_mask | remote_mask} operator port show access-list
10-6
acl_name
Name of an ACL. You can use either a name or number.
deny
Does not allow a packet to travel through the PIX Firewall. By default, the PIX Firewall denies all inbound packets unless you specifically permit access.
permit
Selects a packet to travel through the PIX Firewall.
protocol
Name or number of an IP protocol. It can be one of the keywords icmp, ip, tcp, or udp, or an integer in the range 1 to 254 representing an IP protocol number. To match any Internet protocol, including ICMP, TCP, and UDP, use the keyword ip.
src_addr
Address of the network or host from which the packet is being sent.
local_addr
Address of the network or host local to the PIX Firewall. Specify a local_addr when the access-list command statement is used in conjunction with a crypto access-list command statement, a nat 0 access-list command statement, or a vpngroup split-tunnel command statement. The local_addr is the address after NAT has been performed.
src_mask
Netmask bits (mask) to be applied to src_addr, if the source address is for a network mask.
local_mask
Netmask bits (mask) to be applied to local_addr, if the local address is a network mask.
operator
A comparison operand that lets you specify a port or a port range. Use without an operator and port to indicate all ports. Valid operand keywords are lt, gt, eq, neq and range. Use range and a port range to permit or deny access to only those ports named in the range. For example, use range 10 1024 to permit or deny access only to ports 10 through 1024.
port
Services you permit or deny access to. Specify services by the port that handles it, such as smtp for port 25, www for port 80, and so on. You can specify ports by either a literal name or a number in the range of 0 to 65535.
destination_addr
IP address of the network or host to
Cisco Secure PIX Firewall Advanced 2.1
Copyright 2002, Cisco Systems, Inc.
which the packet is being sent. destination_mask
Netmask bits (mask) to be applied to dest_addr, if the destination address is a network mask.
remote_addr
IP address of the network or host remote to the PIX Firewall. specify a remote_addr when the access-list command statement is used in conjunction with a crypto access-list command statement, a nat 0 accesslist command statement, or a vpngroup split-tunnel command statement.
remote_mask
Netmask bits (mask) to be applied to remote_addr, if the remote address is a network mask.
Note
Copyright 2002, Cisco Systems, Inc.
For inbound connections, destination_addr is the address after NAT has been performed. For outbound connections, destination_addr is the address before NAT has been performed.
Access Control Configuration and Content Filtering
10-7
access-group Command pixfirewall(config)#
access-group acl_name in interface interface_name • Binds an ACL to an interface • The ACL is applied to traffic inbound to an interface
pixfirewall(config)# access-group dmz1 in interface dmz • ACL “dmz1” is bound to interface “dmz”
The access-group command binds an ACL to an interface. The ACL is applied to traffic inbound to an interface. Only one ACL can be bound to an interface using the access-group command. The no access-group command unbinds the acl_name from the interface interface_name. The show access-group command displays the current ACL bound to the interfaces. The clear access-group command removes all entries from an ACL indexed by acl_name. If acl_name is not specified, all access-list command statements are removed from the configuration. The syntaxes for the access-group commands are as follow: access-group acl_name in interface interface_name no access-group acl_name in interface interface_name show access-group acl_name in interface interface_name clear access-group
10-8
acl_name
The name associated with a given ACL.
in interface
Filters inbound packets at the given interface.
interface_name
The name of the network interface.
Cisco Secure PIX Firewall Advanced 2.1
Copyright 2002, Cisco Systems, Inc.
Converting Conduits to Access Control Lists This section explains how to convert conduits to access control lists (ACLs).
ACLs Versus Conduits ACL
Conduit
An ACL applies to a single interface, affecting all traffic entering that interface regardless of its security level.
A conduit creates an exception to the PIX Firewall Adaptive Security Algorithm by permitting connections from one interface to access hosts on another.
It is recommended to use ACLs rather than conduits in your PIX Firewall configuration. This is for future compatibility and greater ease of use for those familiar with Cisco IOS access control.The access-list command in the PIX Firewall uses the same syntax as the Cisco IOS command of the same name with one very important difference. The subnet mask in the PIX Firewall access-list command is specified the same as in all other PIX Firewall commands. This is very different from the Cisco IOS version of the command. Whether you are configuring a PIX Firewall for the first time or converting from conduits to ACLs, it is important to understand the similarities and differences in the two commands. Probably the most important similarity is that either can be combined with a static command to permit or deny connections from outside the PIX Firewall to access TCP/UDP services on hosts inside the network. More specifically, they can both be used to permit or deny connections from a lower security interface to a higher security interface. Some of the most important differences are as follow: ■
Copyright 2002, Cisco Systems, Inc.
A conduit operates from one interface to another, whereas the access-list command used with the access-group command applies only to a single interface. A conduit defines the traffic that can flow between two interfaces while an ACL affects all traffic entering the interface to which it is applied. ACLs have an implicit deny at the end. Once you apply an ACL to an interface, packets inbound to that interface must follow the rules of the ACL regardless of the interface security level. Access Control Configuration and Content Filtering
10-9
Note
■
The access-list command only controls access if used in conjunction with another command, the access-group command, which binds it to an interface. Conduits, however, are not bound to an interface at all.
■
The access-list and access-group command statements take precedence over the conduit command statements in your configuration.
■
ACLs are somewhat more flexible than conduits. They can be used to restrict connections from a higher security interface to a lower security interface as well as permit or deny connections from a lower security interface to a higher security interface.
Note
10-10
“Inbound" in this context means traffic passing through the interface, rather than the more typical PIX Firewall usage of inbound meaning traffic passing from a lower security level interface to a higher security level interface.
The conduit command is still supported to maintain backward compatibility of configurations written for previous PIX Firewall versions.
• The PIX Firewall configuration pertaining to the DMZ contains – A NAT and a global pool for the DMZ. – Statics for the FTP server and mail server. – A conduit permitting access to the FTP server from the DMZ. – An ACL on the DMZ interface permitting access to the mail server. • The action specified for both the conduit and the ACL is permit.
. . . The page cannot be displayed e0 .2 172.16.0.0/24 e2 .1
e1 .1
.3
10.0.0.0/24 .3
FTP .4 server
www.cisco.com
Mail server
CSPFA 2.1—10-10
In the example in the figure, an ACL is bound to the DMZ interface. The purpose of this ACL is to allow access from the DMZ clients to the mail server on the internal network, and the user is able to access the mail server. However, the user is unable to access the Internet or the internal FTP server. At first glance, both of the access problems the user is having may seem odd. Normally, with correctly configured NAT and global statements in place, connections from a higher-level interface to a lower-level interface should pass through with no problems. It would also seem that the user should be able to access the internal FTP server since the appropriate static and conduit have been configured. The following page shows the configuration that caused these problems.
Copyright 2002, Cisco Systems, Inc.
Access Control Configuration and Content Filtering
The example in the figure shows a portion of the configuration in the PIX Firewall on the previous figure. In this example, a new network security specialist was given the task of setting up a DMZ and configuring its security. The security specialist was given the following instructions: ■
Allow users on the DMZ network web access to the Internet.
■
Allow users on the DMZ to access the FTP server on the inside.
■
Allow users on the DMZ to access the mail server on the inside.
The security specialist took the following steps to implement the policy: Step 1
NAT and global statements were created to allow outbound access from the DMZ. Testing proved this configuration to be correct.
Step 2
A static mapping for the internal FTP server’s 10.0.0.3 address was created, allowing it to appear to DMZ users as 172.16.0.10, which is an address on their own network. A conduit was then created to work with the FTP server’s static. This configuration was tested and found to be successful: access was permitted to the internal FTP server from the DMZ.
Step 3
Another static statement was created, which mapped the internal mail server’s 10.0.0.4 address to 172.16.0.12. Because Cisco was moving toward the use of ACLs rather than conduits, it was decided to try one. An ACL permitting DMZ users to access the mail server’s statically mapped address was created. Once again, testing proved that this configuration was working.
Step 4
After the previous three steps, the security administrator thought that the configuration were working, but when users began calling for assistance, the following was discovered: ■
10-12
Due to the implicit deny at the end of any ACL, even an ACL containing the permit option and no deny options can block traffic. When the ACL was bound to the DMZ interface, all traffic was denied except that which was
Cisco Secure PIX Firewall Advanced 2.1
Copyright 2002, Cisco Systems, Inc.
explicitly permitted by that ACL. This included denying access to a lower security level. ■
Even though a conduit expressly permits access to a host on a higher level interface, an ACL can override it, rendering it ineffective. This is why DMZ users were suddenly unable to access the FTP server.
The network security specialist decided to convert from conduits to ACLs, a task that proved amazingly easy.
Copyright 2002, Cisco Systems, Inc.
Access Control Configuration and Content Filtering
10-13
The Solution: Convert Conduits to ACLs pixfirewall(config)#
Because it is now recommended that you use ACLs instead of conduits in the PIX Firewall, you may want to convert the existing conduits in your configuration to ACLs. A look at the syntax for the conduit and access list commands reveals that this is not a difficult task: conduit permit|deny protocol global_ip global_mask [operator port[port]] foreign_ip foreign_mask[operator port[port]]access-list acl_name [deny | permit] protocol {src_addr | local_addr} {src_mask | local_mask} operator port {destination_addr | remote_addr} {destination_mask | remote_mask} operator port
An ACL can be created from a conduit by using the conduit command arguments in the access-list command. This works because the foreign_ip option of the conduit command is the same as the src_addr in the access-list command, and the global_ip option in the conduit command is the same as the dest_addr in the access-list command. The following is an overlay of the conduit command on the access-list command (it can be used as a guide in your conversion): access-list acl_name permit|deny protocol foreign_ip foreign_mask foreign_operator foreign_port [foreign_port] global_ip global_mask global_operator global_port [global_port]
For example, the following conduit becomes the ACL shown beneath it: conduit permit tcp host 192.168.0.10 eq www any access-list acl_in permit tcp any host 192.168.0.10 eq www
The new access list command, like the conduit command, permits any host on the outside interface to access global IP address 192.168.0.10 over port 80 (www). Remember, however, that you must associate the ACL with an interface by using the access-group command.
10-14
Cisco Secure PIX Firewall Advanced 2.1
Copyright 2002, Cisco Systems, Inc.
ACLs in Action Internet
• Conduits are converted to ACLs. • The user is able to access the FTP server, mail server, and Internet. • All other traffic originating from the DMZ is denied.
The figure shows the PIX Firewall configuration sample after the security specialist in the previous example converted conduits to ACLs. The configuration now contains three access-list statements, one to permit each of the following:
10-16
■
Allow users on the DMZ network web access to the Internet.
■
Allow users on the DMZ to access the FTP server on the inside.
■
Allow users on the DMZ to access the mail server on the inside.
Cisco Secure PIX Firewall Advanced 2.1
Copyright 2002, Cisco Systems, Inc.
Configuring Access Control This section explains how to configure access control to and through the PIX Firewall.
Deny Web Access to the Internet pixfirewall(config)# write terminal ... nameif ethernet0 outside sec0 nameif ethernet1 inside sec100 access-list acl_out deny tcp any any eq www access-list acl_out permit ip any any access-group acl_out in interface inside nat (inside) 1 10.0.0.0 255.255.255.0 global (outside) 1 192.168.0.20-192.168.0.254 netmask 255.255.255.0 ... • Denies web traffic on port 80 from the inside network to the Internet • Permits all other IP traffic from the inside network to the Internet
In the figure, ACL acl_out is applied to traffic inbound to the inside interface. The ACL acl_out denies HTTP connections from an internal network, but lets all other IP traffic through. Applying an ACL to the inside interface restricts internal users establishing outside connections. Note
Copyright 2002, Cisco Systems, Inc.
The internal network addresses (10.0.0.0) are dynamically translated (192.168.0.20-254) to allow outbound connections.
Access Control Configuration and Content Filtering
10-17
Permit Web Access to the DMZ Internet
192.168.0.0/24 Web server .2
.2 .1 10.0.0.0/24
.1 172.16.0.0/24
pixfirewall(config)# write terminal ... nameif ethernet0 outside sec0 nameif ethernet1 inside sec100 nameif ethernet2 dmz sec50 ip address outside 192.168.0.2 255.255.255.0 ip address inside 10.0.0.1 255.255.255.0 ip address dmz 172.16.0.1 255.255.255.0 static (dmz,outside) 192.168.0.11 172.16.0.2 access-list acl_in_dmz permit tcp any host 192.168.0.11 eq www access-list acl_in_dmz deny ip any any access-group acl_in_dmz in interface outside ...
• The ACL acl_in_dmz permits web traffic on port 80 from the Internet to the DMZ web server. • The ACL acl_in_dmz denies all other IP traffic from the Internet.
In the figure, ACL acl_in_dmz is applied to traffic inbound to the outside interface. The ACL acl_in_dmz permits Web connections from the Internet to a public Internet web server. All other IP traffic is denied access to the DMZ or inside networks. Note
10-18
The static mapping of an outside address (192.168.0.11) to the DMZ web server (172.16.0.2) is required to allow the traffic.
Cisco Secure PIX Firewall Advanced 2.1
Copyright 2002, Cisco Systems, Inc.
Partner Web Access to DMZ and DMZ Access to Internal Mail Internet
• The ACL acl_partner permits WWW traffic from the partner subnet 172.18.0.0/28 to the DMZ intranet web server. • The ACL acl_dmz_in permits host 172.16.0.4 mail access to 10.0.0.4.
www.cisco.com
CSPFA 2.1—10-18
In the figure, ACL acl_partner is applied to traffic inbound to the partnernet interface. The ACL acl_partner permits Web connections from the hosts on network 172.18.0.0/28 to the DMZ web server via its statically mapped address, 172.18.0.17. All other traffic from the Partner network is denied. The ACL acl_dmz_in is applied to traffic inbound to the DMZ interface. The ACL acl_dmz_in permits the host 172.16.0.4 mail access to the internal mail server on the inside interface. All other traffic originating from the DMZ network is denied.
Copyright 2002, Cisco Systems, Inc.
Access Control Configuration and Content Filtering
In the VPN solution, the PIX Firewall has two dedicated interfaces connected to a Cisco Virtual Private Network (VPN) Concentrator. The dmz interface is connected to the VPN Concentrator’s public interface. The dmz2 interface is connected to the VPN Concentrator’s private interface. The VPN Concentrator is configured to assign VPN Clients an address from the 10.0.21.33−62 pool. A static route on the PIX Firewall is defined to route outbound traffic to the VPN Client. A static translation is needed on the PIX Firewall to allow for communication between the VPN Client and hosts on the inside network of the PIX Firewall. The PIX Firewall is configured with the following two ACLs to control traffic inbound from the Internet and outbound from the VPN Clients to the PIX Firewall inside network:
10-20
■
The PIX Firewall ACL “IPSEC” allows HTTPS traffic from the Internet to the public interface of the VPN Concentrator. The ACL “IPSEC” permits only IPSec traffic to the VPN Concentrator.
■
The PIX Firewall ACL “WEB” allows HTTP traffic from the VPN Clients (10.0.21.33−62) to the inside web server (10.0.0.10).
Cisco Secure PIX Firewall Advanced 2.1
Copyright 2002, Cisco Systems, Inc.
icmp Command pixfirewall(config)#
icmp permit | deny [host] src_addr [src_mask] [type] int_name • Enables or disables pinging to an interface
pixfirewall(config)# icmp deny any echo-reply outside pixfirewall(config)# icmp permit any unreachable outside • All ping requests are denied at the outside interface, and all unreachable messages are permitted at the outside interface
You can enable or disable pinging to a PIX Firewall interface. With pinging disabled, the PIX Firewall cannot be detected on the network. The icmp command implements this feature, which is also referred to as configurable proxy pinging. Note
By default, pinging through the PIX Firewall to a PIX Firewall interface is not allowed. Pinging an interface from a host on that interface is allowed.
To use the icmp command, configure an icmp command statement that permits or denies ICMP traffic that terminates at the PIX Firewall. If the first matched entry is a permit entry, the ICMP packet continues to be processed. If the first matched entry is a deny entry or an entry is not matched, the PIX Firewall discards the ICMP packet and generates the %PIX-3-313001 Syslog message. An exception is when an icmp command statement is not configured, in which case, permit is assumed. Note
Cisco recommends that you grant permission for the ICMP unreachable message type (type 3). Denying ICMP unreachable messages disables ICMP Path MTU discovery, which can halt IPSec and PPTP traffic. See RFC 1195 and RFC 1435 for details about Path MTU Discovery.
The clear icmp command removes icmp command statements from the configuration. The syntax for the icmp commands is as follows: icmp permit | deny [host] src_addr [src_mask] [type] int_name no icmp permit | deny [host] src_addr [src_mask] [type] int_name clear icmp Copyright 2002, Cisco Systems, Inc.
Access Control Configuration and Content Filtering
10-21
show icmp permit | deny
Permit or deny the ability to ping a PIX Firewall interface.
src_addr
Address that is either permitted or denied ability to ping an interface. Use host src_addr to specify a single host.
src_mask
(Optional) Network mask. Specify if a network address is specified.
type
(Optional) ICMP message type as described in Table ICMP Type Literals
int_name
Interface name that can be pinged.
The following table lists the ICMP Type Literals that can be used in the type argument of the icmp command to designate which message types are permitted or denied. ICMP Type Literals
10-22
ICMP
Type Literal
0
echo-reply
3
unreachable
4
source-quench
5
redirect
6
alternate-address
8
echo
9
router-advertisement
10
router-solicitation
11
time-exceeded
12
parameter-problem
13
timestamp-reply
14
timestamp-request
15
information-request
16
information-reply
17
mask-request
18
mask-reply
31
conversion-error
32
mobile-redirect
Cisco Secure PIX Firewall Advanced 2.1
Copyright 2002, Cisco Systems, Inc.
Securing Remote Configuration with SSH SSH client
Username: pix password: TelnetPassword
.50
172.26.26.0/24
pixfirewall(config)#
ssh ip_address[netmask][interface_name] • Specifies the host or network authorized to initiate an SSH connection to the PIX Firewall. pixfirewall(config)# ca generate rsa key 768
PIX Firewall software versions 5.2 and higher enable you to remotely configure your PIX Firewall with a higher degree of security than was possible in prior versions. Prior to 5.2, the security of the remote configuration was limited to the security Telnet provided, which was lower-layer encryption and application security. Versions 5.2 and higher support the Secure Shell (SSH) remote functionality as provided in SSH version 1, which provides strong authentication and encryption capabilities. SSH, an application running on top of a reliable transport layer such as TCP, supports logging onto another computer over a network, executing commands remotely, and moving files from one host to another. Both ends of an SSH connection are authenticated, and passwords are protected by being encrypted. Since SSH uses RSA public key cryptography, an Internet encryption and authentication system, you must generate an RSA key-pair for the PIX Firewall before clients can connect to the PIX Firewall console. Your PIX Firewall must also have a Data Encryption Standard (DES) or Triple-Data Encryption Standard (3DES) activation key. The PIX Firewall allows up to five SSH clients to simultaneously access its console. You can define specific hosts or networks that are authorized to initiate an SSH connection to the PIX Firewall, as well as how long a session can remain idle before being disconnected. The ssh ip_address command specifies the host or network authorized to initiate an SSH connection to the PIX Firewall. The ssh timeout command lets you specify the duration in minutes that a session can be idle before being disconnected. The default duration is five minutes. Use the show ssh sessions command to list all active SSH sessions on the PIX Firewall. The ssh disconnect command lets you disconnect a specific session. Use the clear ssh command to remove all ssh command statements from the configuration, and use the no ssh command to remove selected ssh command statements. Copyright 2002, Cisco Systems, Inc.
Access Control Configuration and Content Filtering
10-23
The syntax for the ssh commands is as follows: ssh disconnect session_id no ssh disconnect session_id ssh ip_address [netmask] [interface_name] no ssh ip_address [netmask] [interface_name] ssh timeout mm no timeout mm show ssh [sessions [ip_address]] show ssh timeout clear ssh
10-24
ip_address
IP address of the host or network authorized to initiate an SSH connection to the PIX Firewall.
netmask
Network mask for ip_address. If you do not specify a netmask, the default is 255.255.255.255 regardless of the class of ip_address.
interface_name
PIX Firewall interface name on which the host or network initiating the SSH connection resides.
mm
The duration in minutes that a session can be idle before being disconnected. The default duration is 5 minutes. The allowable range is from 1 to 60 minutes.
session_id
SSH session ID number available from the show ssh sessions command.
Cisco Secure PIX Firewall Advanced 2.1
Copyright 2002, Cisco Systems, Inc.
Malicious Active Code Filtering The PIX Firewall can filter malicious active codes. Malicious active codes can be used in such applications as Java and ActiveX.
Java Applet Filtering • Java applet filtering enables an administrator to prevent the downloading of Java applets by an inside system. • Java programs can provide a vehicle through which an inside system can be invaded. • Java applets are executable programs that are banned within some security policies.
The PIX Firewall supports a Java applet filter that can stop potentially dangerous Java applications on a per-client or per-IP address basis. Java applets may be downloaded when you permit access to port 80 (HTTP), and some Java applets can contain hidden code that can destroy data on the internal network. A solution to this problem is to use the filter java command to block all Java applets.
Copyright 2002, Cisco Systems, Inc.
Access Control Configuration and Content Filtering
10-25
filter java Command pixfirewall(config)#
filter java port[-port] local_ip mask foreign_ip mask • The filter java command filters out Java applets that return to the PIX Firewall from an outbound connection. • Some Java applets can contain malicious code that can manipulate data on the internal network.
Java filtering enables an administrator to prevent Java applets from being downloaded by an inside system. Java applets are executable programs that are banned by many site security policies. The syntax for the filter java command is as follows: filter java port[-port] local_ip mask foreign_ip mask port[-port]
One or more ports on which Java applets may be received.
local_ip
The IP address interface with the highest security level from which access is sought.
mask
Wildcard mask.
foreign_ip
The IP address of the interface with the lowest security level to which access is sought.
Java programs can provide a vehicle through which an inside system can be invaded or compromised. When Java filtering is enabled, the PIX Firewall searches for the programmed “cafe babe” string and, if found, drops the Java applet. A sample Java class code snippet looks like the following: 00000000: café babe 003 002d 0099 0900 8345 0098
10-26
Cisco Secure PIX Firewall Advanced 2.1
Copyright 2002, Cisco Systems, Inc.
ActiveX Blocking
• ActiveX controls are applets that can be inserted in web pages or other applications. • ActiveX controls can provide a way for someone to attack servers. • The PIX Firewall can be used to block ActiveX controls.
ActiveX controls, formerly known as Object Linking and Embedding (OLE) or Object Linking and Embedding control (OCX), are applets that can be inserted in web pages—often used in animations—or in other applications. ActiveX controls create a potential security problem because they can provide a way for someone to attack servers. Because of this potential security problem, you can use the PIX Firewall to block all ActiveX controls.
Copyright 2002, Cisco Systems, Inc.
Access Control Configuration and Content Filtering
10-27
filter activex Command
pixfirewall(config)#
filter activex port local_ip mask foreign_ip mask • Filters out ActiveX usage from outbound packets.
The filter activex command filters out ActiveX usage from outbound packets. The syntax for the filter activex command is as follows: filter activex port local_ip mask foreign_ip mask activex
Block outbound ActiveX, Java applets, and other HTML